diff --git a/src/Facades/Endpoint/URL.php b/src/Facades/Endpoint/URL.php
index cd969d10b3..7c6077f178 100644
--- a/src/Facades/Endpoint/URL.php
+++ b/src/Facades/Endpoint/URL.php
@@ -274,7 +274,7 @@ public function isExternalToApplication(?string $url): bool
             ->filter(fn ($siteUrl) => $urlDomain === $siteUrl)
             ->isEmpty();
 
-        $isExternalToCurrentRequestDomain = ! Str::startsWith($url, self::getDomainFromAbsolute(url()->to('/')));
+        $isExternalToCurrentRequestDomain = $urlDomain !== self::getDomainFromAbsolute(url()->to('/'));
 
         return self::$externalAppUrlsCache[$url] = $isExternalToSites && $isExternalToCurrentRequestDomain;
     }
@@ -386,7 +386,7 @@ private function getAbsoluteSiteUrls(): Collection
      */
     private function getDomainFromAbsolute(string $url): string
     {
-        return preg_replace('/(https*:\/\/[^\/]+)(.*)/', '$1', $url);
+        return parse_url($url, PHP_URL_HOST) ?? $url;
     }
 
     /**
diff --git a/tests/Facades/Concerns/ProvidesExternalUrls.php b/tests/Facades/Concerns/ProvidesExternalUrls.php
index 867aaf1540..731b22d637 100644
--- a/tests/Facades/Concerns/ProvidesExternalUrls.php
+++ b/tests/Facades/Concerns/ProvidesExternalUrls.php
@@ -67,6 +67,21 @@ public static function externalUrlProvider()
             ['http://subdomain.this-site.com.au/some-slug', true],
             ['http://subdomain.this-site.com.au/some-slug?foo', true],
             ['http://subdomain.this-site.com.au/some-slug#anchor', true],
+
+            // Credential injection
+            ['http://this-site.com@evil.com', true],
+            ['http://this-site.com@evil.com/', true],
+            ['http://this-site.com@evil.com/path', true],
+            ['http://this-site.com@evil.com/path?query', true],
+            ['http://this-site.com:password@evil.com', true],
+            ['http://user:pass@evil.com', true],
+            ['http://absolute-url-resolved-from-request.com@evil.com', true],
+            ['http://absolute-url-resolved-from-request.com@evil.com/path', true],
+            ['http://subdomain.this-site.com@evil.com', true],
+            ['http://subdomain.this-site.com@evil.com/path', true],
+            ['http://this-site.com:8000@evil.com', true],
+            ['http://this-site.com:8000@evil.com/path', true],
+            ['http://this-site.com:8000@webhook.site/token', true],
         ];
     }
 }