CVE-2026-28413

Name of the Vulnerable Software and Affected Versions Products.isurlinportal versions prior to 2.1.0 Products.isurlinportal versions prior to 3.1.0 Products.isurlinportal versions prior to 4.0.0

Description A specially crafted URL, such as /login?came from=////evil.example, could redirect a user to an external website after successful login. This issue affects customized Plone installations where the login process has been modified with add-ons. The vulnerability lies in the insufficient validation of the redirect URL within the Products.isurlinportal package, potentially allowing an attacker to trick Plone into redirecting to a malicious website. The check for valid redirect URLs within the Products.isurlinportal package had a loophole.

Recommendations Versions prior to 2.1.0: Upgrade to Products.isurlinportal version 2.1.0. Versions prior to 3.1.0: Upgrade to Products.isurlinportal version 3.1.0. Versions prior to 4.0.0: Upgrade to Products.isurlinportal version 4.0.0.