CVE-2026-28413

MEDIUM WAF: Medium

CVSS 6.1 Published: 2026-03-05

CWE-601

Products.isurlinportal is a replacement for isURLInPortal method in Plone. Prior to versions 2.1.0, 3.1.0, and 4.0.0, a url /login?came_from=////evil.example may redirect to an external website after login. This issue has been patched in versions 2.1.0, 3.1.0, and 4.0.0.

WAF Coverage Analysis

Open Redirect Medium WAF Coverage

OWASP: A01:2021 Broken Access Control

941xxx - XSS / XXE

Affected Software

Vendor	Product	Version
plone	isurlinportal	up to 2.1.0
plone	isurlinportal	3.0.0 - 3.1.0
plone	isurlinportal	4.0.0

References

github.com (Vendor Advisory)

Back to CVE Database