The package karma prior to 6.3.16 are vulnerable to Open Redirect due to missing validation of the return_url query parameter.
karma project karma