Plone security advisory 20260623
Various vulnerabilities, including Remote Code Execution and Denial of Service

Plone security advisory 20260623

Various vulnerabilities, including Remote Code Execution and Denial of Service

On behalf of the Plone/Zope Security Team I announce several vulnerability fixes.

Two others were already made public recently, we list them here for good measure: icalendarand RestrictedPython.

Some are only a vulnerability on Classic UI (for example, Volto has no portlets), but others are a vulnerability on Volto as well.

All these combined, you should update your Plone sites to the following versions (formatted as pip constraints here):

Plone 6.2:

icalendar==7.1.3
plone.app.contenttypes==5.0.1
plone.app.dexterity==5.0.1
plone.app.event==6.0.1
plone.app.portlets==7.0.2
RestrictedPython==8.3

Plone 6.1:

plone.app.contenttypes==4.0.10
plone.app.dexterity==4.1.3
plone.app.event==5.2.4
plone.app.portlets==6.0.4
RestrictedPython==8.3

Plone 6.0:

plone.app.contenttypes==3.0.12
plone.app.dexterity==3.2.3
plone.app.event==5.2.4
plone.app.portlets==5.0.8
RestrictedPython==8.3; python_version > '3.10'

You may want to check if you have already applied the plone.app.textfield and plone.restapi fixes from the June 5 announcement.

If you think a security issue was incompletely solved, please contact the Plone/Zope Security Team via email at security@plone.org.

If these versions cause other problems, you can comment on the community forum announcement, or open an issue in the Products.CMFPlone tracker. Please check if anything was reported already.