MEDIUM 6.1

PYSEC-2026-112

Details

Products.isurlinportal is a replacement for isURLInPortal method in Plone. Prior to versions 2.1.0, 3.1.0, and 4.0.0, a url /login?came_from=////evil.example may redirect to an external website after login. This issue has been patched in versions 2.1.0, 3.1.0, and 4.0.0.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / products-isurlinportal

Introduced in: 0 Fixed in: 2.1.0

Fix pip install --upgrade 'products-isurlinportal>=2.1.0'

References

https://github.com/plone/Products.isurlinportal/security/advisories/GHSA-43gx-6gv6-3jcp [ADVISORY]