Security patch released: 20160830

Hotfix to patch various vulnerabilities

CVE numbers not yet issued.

Versions Affected: All supported Plone versions (4.x, 5.x). Previous versions could be affected but have not been tested.

Versions Not Affected: None.

Nature of vulnerability: the patch will address several cross site scripting (XSS) vulnerability issues.

The patch was released at 2016-08-30 15:00 UTC.


Full installation instructions are available on the HotFix release page.

Extra Help

If you do not have in-house server administrators or a website maintenance service agreement, you can find consulting companies at .

There is also free support available online via the Plone IRC channel and the Plone community forum.


Questions and Answers

What is involved in applying the patch? 
Patches are made available as tarball-style archives that may be unpacked into the “products” folder of a buildout installation and as Python packages that may be installed by editing a buildout configuration file and running buildout. Patching is generally easy and quick to accomplish.

How were these vulnerabilities found?
The vulnerabilities were found by users submitting them to the security mailing list.

My site is highly visible and mission-critical. I hear the patch has already been developed. Can I get the fix before the release date? 
Plone patches are always made available to all users at the same time. There are no exceptions.

How can I report other potential security vulnerabilities? 
Please email the Plone Security Team at rather than publicly discussing potential security issues.

How can I apply the patch without affecting my users? 
Even though this patch does NOT require you to run buildout, you can run buildout without affecting your users. You can restart a multi-client Plone install without affecting your users; see  

How do I get help patching my site? 
Plone service providers are listed at  There is also free support available online via the Plone IRC channel and the Plone community forum.

Who is on the Plone Security Team and how is it funded?
The Plone Security Team is made up of volunteers who are experienced developers familiar with the Plone code base and with security exploits. The Plone Security Team is not funded; members and/or their employers have volunteered their time in the interests of the greater Plone community.

How can I help the Plone Security Team? 
The Plone Security Team is looking for help from security-minded developers and testers. Volunteers must be known to the Security Team and have been part of the Plone community for some time. To help the Security Team financially, your donations are most welcome at

General questions about this announcement, Plone patching procedures, and availability of support may be addressed to the Plone support forums . If you have specific questions about this vulnerability or its handling, contact the Plone Security Team directly.

To report potentially security-related issuese-mail the Plone Security Team directly at rather than publicly discussing potential security issues. We are always happy to credit individuals and companies who make responsible disclosures.

The Plone Security Team is an all-volunteer team. If you'd like to help the team, as a developer, a tester, or as a financial sponsor, please email the team at and become a sponsor at

To be informed of future security patches, subscribe to the low-traffic Plone announcement list

Information for Vulnerability Database Maintainers

We have already applied for CVE numbers for these issues. Further information on individual vulnerabilities (including CVSS scores, CWE identifiers and summaries) is available at the current vulnerability list and the old vulnerability list