securityonline.info 7/1/2026, 1:32:34 AM · external

Plone fixes critical RCE bug in Classic portlet, issues patches

Plone fixes critical RCE bug in Classic portlet, issues patches
CyberSIXT Evidence Panel
Primary Source github.com

PLONE has addressed three critical vulnerabilities in its software, including a Remote Code Execution (RCE) flaw with a CVSS score of 9.9, which allows attackers to execute code on the server through user inputs in the Classic portlet. This vulnerability poses significant risks as any user who can add a Classic portlet can exploit it.

Additionally, two other vulnerabilities, each scoring 9.1, enable denial of service (DoS), server-side request forgery (SSRF), and stored cross-site scripting (XSS) through features in the plone.app.event and plone.app.portlets packages. Affected versions include Plone 6.0, 6.1, and 6.2. Immediate patching of the RCE vulnerability is recommended, with specific version updates outlined for mitigation.

View Primary Source Via securityonline.info

Article by CyberSIXT