Moderate severityNVD Advisory· Published Mar 5, 2026· Updated Mar 6, 2026
Products.isurlinportal: Possible open redirect when using more than 2 forward slashes
CVE-2026-28413
Description
Products.isurlinportal is a replacement for isURLInPortal method in Plone. Prior to versions 2.1.0, 3.1.0, and 4.0.0, a url /login?came_from=////evil.example may redirect to an external website after login. This issue has been patched in versions 2.1.0, 3.1.0, and 4.0.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Products.isurlinportalPyPI | >= 4.0.0a1, < 4.0.0 | 4.0.0 |
Products.isurlinportalPyPI | >= 3.0.0, < 3.1.0 | 3.1.0 |
Products.isurlinportalPyPI | < 2.1.0 | 2.1.0 |
products-isurlinportalPyPI | < 2.1.0 | 2.1.0 |
products-isurlinportalPyPI | >= 3.0.0, < 3.1.0 | 3.1.0 |
Affected products
2- Range: < 4.0.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-43gx-6gv6-3jcpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28413ghsaADVISORY
- github.com/plone/Products.isurlinportal/security/advisories/GHSA-43gx-6gv6-3jcpghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/products-isurlinportal/PYSEC-2026-112.yamlghsaWEB
News mentions
0No linked articles in our index yet.