CVE-2025-5256: 
PHP vulnerability analysis and mitigation

An Open Redirection vulnerability (CVE-2025-5256) was discovered in Mautic's user unlocking endpoint. The vulnerability was disclosed on May 28, 2025, affecting Mautic versions greater than 1.0. The issue exists in the /s/action/unlock/user.user/0 endpoint, where the returnUrl parameter is not properly validated (Mautic Advisory).

The vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site). It received a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. This scoring indicates that the vulnerability requires no privileges to exploit, though user interaction is needed, and it can be accessed over the network with low attack complexity (NVD, Mautic Advisory).

The vulnerability could be exploited by attackers to redirect legitimate users to malicious websites, potentially leading to phishing attacks or the delivery of exploit kits. The impact assessment shows low impact on both confidentiality and integrity, with no impact on availability (Mautic Advisory).

The vulnerability has been patched in Mautic versions 6.0.2, 5.2.6, and 4.4.16. Users are advised to update to these patched versions, which properly validate and sanitize the returnUrl parameter to ensure that redirects only occur to trusted, internal URLs or explicitly whitelisted domains (Mautic Advisory).