PYSEC-2026-737

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/plone-supermodel/PYSEC-2026-737.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-737
Aliases
Published
2026-07-02T14:13:09.993688Z
Modified
2026-07-06T08:11:30.486410039Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
SSRF attacks via tracebacks in Plone
Details

Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role).

References

Affected packages

PyPI / plone-supermodel

Package

Name
plone-supermodel
View open source insights on deps.dev
Purl
pkg:pypi/plone-supermodel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.3

Affected versions

1.*
1.0b1
1.0b2
1.0b3
1.0b4
1.0b5
1.0b6
1.0b7
1.0b8
1.0
1.0.1
1.0.2
1.0.3
1.0.4
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.4.0
1.4.1
1.5.0
1.6.0
1.6.1
1.6.2

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/plone-supermodel/PYSEC-2026-737.yaml"