On behalf of the Plone/Zope Security Team I announce several vulnerability fixes.

Remote Code Execution via TALES Injection:
CVE requested
https://github.com/plone/plone.app.portlets/security/advisories/GHSA-rr49-f9g6-c9r5
severity 9.9 critical

Denial of service via iCalendar import:
CVE-2026-55247
https://github.com/plone/plone.app.event/security/advisories/GHSA-r82h-mqw3-fc56
severity 9.1 critical

Denial of service via RSS feed portlet:
CVE-2026-55248
https://github.com/plone/plone.app.portlets/security/advisories/GHSA-x5g3-w747-2h8q
severity 9.1 critical

Denial of Service due to excessive title/description/filename length
CVE requested
severity 6.5 moderate. This has fixes in two packages, so two advisories:
https://github.com/plone/plone.app.dexterity/security/advisories/GHSA-5426-92w4-wvhv
https://github.com/plone/plone.app.contenttypes/security/advisories/GHSA-8pcw-h6w9-h46g

Those were announced today (June 23, 2026).

Two more were announced the past week:

Denial of Service in icalendar:
CVE-2026-55099
https://github.com/collective/icalendar/security/advisories/GHSA-cv84-9p8j-fj68
severity 7.5 high

Sandbox escape in RestrictedPython
CVE-2026-55830
https://github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-ffg3-p8fm-mjx2
severity 8.3 high

And one more was announced on June 5:

Stored XSS by spoofing mime type
CVE-2026-54503
severity 4.3 moderate. This has fixes in two packages, so two advisories:
https://github.com/plone/plone.app.textfield/security/advisories/GHSA-4r4f-gg25-rmg5
https://github.com/plone/plone.restapi/security/advisories/GHSA-8rqh-vxpr-x77p

See the individual advisories for details.

For an overview of which package versions you should update to per supported Plone version (6.0, 6.1, 6.2), see these two posts:

https://community.plone.org/t/security-vulnerability-announcement-plone-app-textfield-and-plone-restapi/23050
https://community.plone.org/t/plone-security-fixes-20260623/23085

Full releases of Plone 6.1.5 and 6.2.1 are expected this week, and they will contain the fixed versions.

Thanks,

Maurits van Rees
Plone/Zope Security Team


Reply via email to