HIGH 8.8
PYSEC-2026-736
Improper Restriction of XML External Entity Reference in Plone
Details
Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / plone-supermodel
Introduced in:
0 Fixed in: 1.6.3 Fix
pip install --upgrade 'plone-supermodel>=1.6.3' References
- https://nvd.nist.gov/vuln/detail/CVE-2020-28734 [ADVISORY]
- https://github.com/plone/Products.CMFPlone/issues/3209 [WEB]
- https://dist.plone.org/release/5.2.3/RELEASE-NOTES.txt [WEB]
- https://github.com/advisories/GHSA-wq6x-g685-w5f2 [ADVISORY]
- https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2020-246.yaml [WEB]
- https://www.misakikata.com/codes/plone/python-en.html [WEB]
- https://pypi.org/project/plone-supermodel [PACKAGE]