In my opinion, the most dangerous kind of open redirect vulnerability is when it is possible to inject code into the variable that controls the redirections. For example, look at this case:
https://example.com/index.php?go=javascript:alert(document.domain)
Here, the go
variable is using a JavaScript function to get the domain to redirect to the user. So, if a malicious user can manipulate this parameter, it is possible to redirect to other places, or it is possible to combine this vulnerability with a cross-site scripting (XSS) attack and create phishing campaigns.