I have a tt-rss instance on a subdomain of my domain for which I run a (no-payout) bug bounty program, so people can report security issues on my webpages via the Hackerone plattform.
I got a report that the tt-rss instance has an open redirect, i.e. someone can create an URL on it that will redirect to any arbitrary external URL:
Take a publicly accessible tt-rss instance and append this to the hostname:
Whether open redirects should be considered security vulnerabilities is somewhat controversial, but it looks unintended and probably something that should be fixed.