PYSEC-2026-732

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/plone/PYSEC-2026-732.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-732
Aliases
Published
2026-07-02T14:13:20.996430Z
Modified
2026-07-06T08:00:51.697864215Z
Summary
Plone credentials stored in session cookie
Details

Plone CMS 3.1.x uses invariant data (a client username and a server secret) when calculating an HMAC-SHA1 value for an authentication cookie, which makes it easier for remote attackers to gain permanent access to an account by sniffing the network.

References

Affected packages

PyPI / plone

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
3.1.7

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/plone/PYSEC-2026-732.yaml"