PYSEC-2026-897

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/plone/PYSEC-2026-897.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-897
Aliases
Published
2026-07-06T08:03:27.332968Z
Modified
2026-07-07T11:45:17.337877161Z
Summary
Plone anonymous access to sub-objects in CMFEditions where KwAsAttributes classes were publishable
Details

The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2 does not prevent the KwAsAttributes classes from being publishable, which allows remote attackers to access sub-objects via unspecified vectors, a different vulnerability than CVE-2011-3587.

References

Affected packages

PyPI / plone

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0
Fixed
4.0.10
Introduced
4.1
Fixed
4.1.1
Introduced
4.2a1
Fixed
4.2a3

Affected versions

4.*
4.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.9
4.1
4.2a1
4.2a2

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/plone/PYSEC-2026-897.yaml"