Plone CMS 3.1.x uses invariant data (a client username and a server secret) when calculating an HMAC-SHA1 value for an authentication cookie, which makes it easier for remote attackers to gain permanent access to an account by sniffing the network.
"https://github.com/pypa/advisory-database/blob/main/vulns/plone/PYSEC-2026-732.yaml"