VDB
KO
HIGH 8.8

PYSEC-2026-736

Improper Restriction of XML External Entity Reference in Plone

Details

Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / plone-supermodel
Introduced in: 0 Fixed in: 1.6.3
Fix pip install --upgrade 'plone-supermodel>=1.6.3'

References