Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Plone's Custom Login Redirect Can Be Hijacked
CVE-2026-28413
GHSA-43gx-6gv6-3jcp
Summary
A security issue in Plone's custom login redirect system can allow attackers to trick users into visiting malicious websites. If you have customized the login process with add-ons, you may be affected. To fix the issue, update the `Products.isurlinportal` package to the latest version, which is version 4.0.0 for Plone 6.2, 3.1.0 for Plone 6.1, or 2.1.0 for Plone 6.0.
What to do
- Update products.isurlinportal to version 4.0.0.
- Update products.isurlinportal to version 3.1.0.
- Update products.isurlinportal to version 2.1.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | products.isurlinportal | 4.0.0a1 | 4.0.0 |
| – | products.isurlinportal | > 3.0.0 , <= 3.1.0 | 3.1.0 |
| – | products.isurlinportal | <= 2.1.0 | 2.1.0 |
Original title
Products.isurlinportal has possible open redirect when using more than 2 forward slashes
Original description
### Impact
A url `/login?came_from=////evil.example` may redirect to an external website after login.
Standard Plone is not affected, but if you have customised the login, for example with add-ons, you might be affected. You can try the url to check if you are affected or not.
### Patches
The problem has been patched in `Products.isurlinportal`.
* Plone 6.2: upgrade to `Products.isurlinportal` 4.0.0.
* Plone 6.1: upgrade to `Products.isurlinportal` 3.1.0.
* Plone 6.0: upgrade to `Products.isurlinportal` 2.1.0.
* Older Plone versions don't have security support anymore.
### Workarounds
There are no known workarounds.
### Background
When you are anonymous and land on a page that requires a login, Plone sends you to the login form. After successful login, Plone redirects you back to the page you came from. Various other forms and pages have a similar system.
This could get abused by an attacker to trick Plone into redirecting to a different website. Plone checks the page that would be redirected to. It is only accepted if it is within the Plone site domain or part of a different trusted domain.
The main check for this is in the `Products.isurlinportal` package. A lot of potentially malicious urls are already safely rejected, but here a loop hole was found.
This was discovered during a penetration test by the CERT-EU Team.
A url `/login?came_from=////evil.example` may redirect to an external website after login.
Standard Plone is not affected, but if you have customised the login, for example with add-ons, you might be affected. You can try the url to check if you are affected or not.
### Patches
The problem has been patched in `Products.isurlinportal`.
* Plone 6.2: upgrade to `Products.isurlinportal` 4.0.0.
* Plone 6.1: upgrade to `Products.isurlinportal` 3.1.0.
* Plone 6.0: upgrade to `Products.isurlinportal` 2.1.0.
* Older Plone versions don't have security support anymore.
### Workarounds
There are no known workarounds.
### Background
When you are anonymous and land on a page that requires a login, Plone sends you to the login form. After successful login, Plone redirects you back to the page you came from. Various other forms and pages have a similar system.
This could get abused by an attacker to trick Plone into redirecting to a different website. Plone checks the page that would be redirected to. It is only accepted if it is within the Plone site domain or part of a different trusted domain.
The main check for this is in the `Products.isurlinportal` package. A lot of potentially malicious urls are already safely rejected, but here a loop hole was found.
This was discovered during a penetration test by the CERT-EU Team.
nvd CVSS3.1
5.3
Vulnerability type
CWE-601
Open Redirect
Published: 2 Mar 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026