When using subrequest authentication, Anubis did not perform validation of the redirect URL and redirects user to any URL scheme. While most modern browsers do not allow a redirect to javascript: URLs, it could still trigger dangerous behavior in some cases.

GET https://example.com/.within.website/?redir=javascript:alert() responds with Location: javascript:alert().

Anybody with a subrequest authentication seems affected. Using javascript: URLs will probably be blocked by most modern browsers, but using custom protocols for third-party applications might still trigger dangerous operations.

This was originally reported by @mbiesiad against Weblate.