PYSEC-2026-2961

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/products-cmfcore/PYSEC-2026-2961.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2961
Aliases
Published
2026-07-09T16:49:33.489876Z
Modified
2026-07-13T16:43:09.732565422Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Cross-site scripting in Products.CMFCore, Products.PluggableAuthService, Plone
Details

Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS.

References

Affected packages

PyPI / products-cmfcore

Package

Name
products-cmfcore
View open source insights on deps.dev
Purl
pkg:pypi/products-cmfcore

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.5.1

Affected versions

2.*
2.1.1
2.1.2-beta
2.1.2
2.1.3
2.2.0-alpha
2.2.0-beta
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.2.13
2.3.0-beta
2.3.0-beta2
2.3.0
2.3.1
2.4.0b1
2.4.0b2
2.4.0b3
2.4.0b4
2.4.0b5
2.4.0b6
2.4.0b7
2.4.0b8
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.5.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/products-cmfcore/PYSEC-2026-2961.yaml"