CVE-2026-28413
Open Redirect Vulnerability in Plone isURLInPortal Component
Publication date: 2026-03-05
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| plone | isurlinportal | to 2.1.0 (exc) |
| plone | isurlinportal | From 3.0.0 (inc) to 3.1.0 (exc) |
| plone | isurlinportal | 4.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-28413 is a moderate severity open redirect vulnerability in the Products.isurlinportal package used by Plone.'}, {'type': 'paragraph', 'content': 'The issue occurs when URLs containing more than two forward slashes in the "came_from" parameter (for example, /login?came_from=////evil.example) cause the system to redirect users to external, potentially malicious websites after login.'}, {'type': 'paragraph', 'content': 'This happens because the URL validation logic in Products.isurlinportal, which is supposed to ensure redirects stay within the Plone site or trusted domains, can be bypassed by this specific URL pattern.'}, {'type': 'paragraph', 'content': 'The vulnerability was discovered during a penetration test by the CERT-EU team and affects versions prior to 2.1.0, 3.1.0, and 4.0.0, with patches available in those versions.'}] [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to craft specially designed URLs that redirect users to untrusted external websites after login.
Such redirects can be used for phishing attacks, leading users to malicious sites that may attempt to steal credentials or deliver malware.
The vulnerability does not require any privileges or user interaction to be exploited, making it easier for attackers to exploit in customized login workflows.
However, it does not affect standard Plone installations and has a low impact on confidentiality, with no impact on integrity or availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring login URLs that contain the "came_from" parameter with multiple forward slashes, such as /login?came_from=////evil.example, which may indicate attempts to exploit the open redirect flaw.'}, {'type': 'paragraph', 'content': 'You can search your web server logs or proxy logs for requests matching this pattern to identify potential exploitation attempts.'}, {'type': 'list_item', 'content': 'Use grep or similar tools to find suspicious URLs in logs, for example: grep -E "/login\\?came_from=/{2,}" access.log'}, {'type': 'list_item', 'content': 'Use network monitoring tools or intrusion detection systems to alert on HTTP requests containing multiple consecutive slashes in the "came_from" parameter.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade the Products.isurlinportal package to a patched version.
- Upgrade to version 2.1.0 or later if using Plone 6.0.
- Upgrade to version 3.1.0 or later if using Plone 6.1.
- Upgrade to version 4.0.0 or later if using Plone 6.2.
There are no known workarounds, so applying the patch is essential to prevent exploitation.