Products.isurlinportal: Possible open redirect when using more than 2 forward slashes
Description
Products.isurlinportal is a replacement for isURLInPortal method in Plone. Prior to versions 2.1.0, 3.1.0, and 4.0.0, a url /login?came_from=////evil.example may redirect to an external website after login. This issue has been patched in versions 2.1.0, 3.1.0, and 4.0.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Products.isurlinportal prior to 2.1.0, 3.1.0, and 4.0.0 contains an open redirect vulnerability via crafted came_from parameter with multiple slashes.
Vulnerability
Overview
The isURLInPortal method in Products.isurlinportal, a replacement for Plone's isURLInPortal method, fails to properly validate URLs containing more than two forward slashes in the came_from parameter. A URL such as /login?came_from=////evil.example bypasses the portal URL check, allowing an attacker to redirect users to an external site after login [1][2][3].
Exploitation
An attacker can craft a malicious link that appears to point to a trusted Plone site but includes a came_from parameter with multiple leading slashes. When an anonymous user clicks the link and is redirected to the login form, Plone stores the came_from value. After successful authentication, the application redirects the user to the external domain specified in the crafted parameter [1][3]. Standard Plone installations are not affected, but sites with customised login flows (e.g., via add-ons) may be vulnerable [3].
Impact
Successful exploitation results in an open redirect, which can be leveraged for phishing attacks. An attacker could redirect users to a malicious site that mimics the original Plone site, potentially stealing credentials or delivering malware [1][3].
Mitigation
The issue is patched in Products.isurlinportal versions 2.1.0 (Plone 6.0), 3.1.0.0 (Plone 6.1), and 4.0.0 (Plone 6.2). No known workarounds exist [3]. Users should upgrade to the appropriate patched version for their Plone release.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Products.isurlinportalPyPI | >= 4.0.0a1, < 4.0.0 | 4.0.0 |
Products.isurlinportalPyPI | >= 3.0.0, < 3.1.0 | 3.1.0 |
Products.isurlinportalPyPI | < 2.1.0 | 2.1.0 |
Affected products
2- Range: <2.1.0, <3.1.0, <4.0.0
- plone/Products.isurlinportalv5Range: < 4.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-43gx-6gv6-3jcpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28413ghsaADVISORY
- github.com/plone/Products.isurlinportal/security/advisories/GHSA-43gx-6gv6-3jcpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.