CVE-2026-55590

The getLoginRedirect() method contains a weakness to backslash bypasses allowing redirect targets with attacker controlled hostnames.

3.3.6 and 4.1.1 contain a fix for this issue.

If you are unable to upgrade, you should consider adding application validation to the redirect query string parameter to mitigate this vulnerability.