CVE-2026-28413
Received Received - Intake
Open Redirect Vulnerability in Plone isURLInPortal Component

Publication date: 2026-03-05

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
Products.isurlinportal is a replacement for isURLInPortal method in Plone. Prior to versions 2.1.0, 3.1.0, and 4.0.0, a url /login?came_from=////evil.example may redirect to an external website after login. This issue has been patched in versions 2.1.0, 3.1.0, and 4.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-28413
EUVD
EUVD-2026-9872
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
plone isurlinportal to 2.1.0 (exc)
plone isurlinportal From 3.0.0 (inc) to 3.1.0 (exc)
plone isurlinportal 4.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-28413 is a moderate severity open redirect vulnerability in the Products.isurlinportal package used by Plone.'}, {'type': 'paragraph', 'content': 'The issue occurs when URLs containing more than two forward slashes in the "came_from" parameter (for example, /login?came_from=////evil.example) cause the system to redirect users to external, potentially malicious websites after login.'}, {'type': 'paragraph', 'content': 'This happens because the URL validation logic in Products.isurlinportal, which is supposed to ensure redirects stay within the Plone site or trusted domains, can be bypassed by this specific URL pattern.'}, {'type': 'paragraph', 'content': 'The vulnerability was discovered during a penetration test by the CERT-EU team and affects versions prior to 2.1.0, 3.1.0, and 4.0.0, with patches available in those versions.'}] [1]

Impact Analysis

This vulnerability can impact you by allowing an attacker to craft specially designed URLs that redirect users to untrusted external websites after login.

Such redirects can be used for phishing attacks, leading users to malicious sites that may attempt to steal credentials or deliver malware.

The vulnerability does not require any privileges or user interaction to be exploited, making it easier for attackers to exploit in customized login workflows.

However, it does not affect standard Plone installations and has a low impact on confidentiality, with no impact on integrity or availability.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring login URLs that contain the "came_from" parameter with multiple forward slashes, such as /login?came_from=////evil.example, which may indicate attempts to exploit the open redirect flaw.'}, {'type': 'paragraph', 'content': 'You can search your web server logs or proxy logs for requests matching this pattern to identify potential exploitation attempts.'}, {'type': 'list_item', 'content': 'Use grep or similar tools to find suspicious URLs in logs, for example: grep -E "/login\\?came_from=/{2,}" access.log'}, {'type': 'list_item', 'content': 'Use network monitoring tools or intrusion detection systems to alert on HTTP requests containing multiple consecutive slashes in the "came_from" parameter.'}] [1]

Mitigation Strategies

The immediate and recommended mitigation is to upgrade the Products.isurlinportal package to a patched version.

  • Upgrade to version 2.1.0 or later if using Plone 6.0.
  • Upgrade to version 3.1.0 or later if using Plone 6.1.
  • Upgrade to version 4.0.0 or later if using Plone 6.2.

There are no known workarounds, so applying the patch is essential to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28413. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart