PYSEC-2026-735

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/plone-supermodel/PYSEC-2026-735.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-735
Aliases
Published
2026-07-02T14:13:10.056554Z
Modified
2026-07-06T08:11:32.365128018Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Improper Restriction of XML External Entity Reference in Plone
Details

Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).

References

Affected packages

PyPI / plone-supermodel

Package

Name
plone-supermodel
View open source insights on deps.dev
Purl
pkg:pypi/plone-supermodel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.3

Affected versions

1.*
1.0b1
1.0b2
1.0b3
1.0b4
1.0b5
1.0b6
1.0b7
1.0b8
1.0
1.0.1
1.0.2
1.0.3
1.0.4
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.4.0
1.4.1
1.5.0
1.6.0
1.6.1
1.6.2

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/plone-supermodel/PYSEC-2026-735.yaml"