PYSEC-2026-736

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/plone-supermodel/PYSEC-2026-736.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-736
Aliases
Published
2026-07-02T14:13:09.907843Z
Modified
2026-07-06T08:11:23.297418134Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Improper Restriction of XML External Entity Reference in Plone
Details

Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role.

References

Affected packages

PyPI / plone-supermodel

Package

Name
plone-supermodel
View open source insights on deps.dev
Purl
pkg:pypi/plone-supermodel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.3

Affected versions

1.*
1.0b1
1.0b2
1.0b3
1.0b4
1.0b5
1.0b6
1.0b7
1.0b8
1.0
1.0.1
1.0.2
1.0.3
1.0.4
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.4.0
1.4.1
1.5.0
1.6.0
1.6.1
1.6.2

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/plone-supermodel/PYSEC-2026-736.yaml"