CVE Tools

plone

Web & CMS PluginsNLoss-project

95

Cumulative CVEs

20

Monthly snapshots

#6

Peak rank

Top products

Latest CVEs

The 15 most recently published vulnerabilities affecting plone.

CVE-2026-28413Products.isurlinportal: Possible open redirect when using more than 2 forward slashes5.3Mar 5, 2026
CVE-2025-58047Volto affected by possible DoS by invoking specific URL by anonymous user7.5Aug 28, 2025
CVE-2024-22889Due to incorrect access control in Plone version v6.0.9, remote attackers can view and list all files hosted on the website via sending a crafted request.7.5Mar 5, 2024
CVE-2024-23756The HTTP PUT and DELETE methods are enabled in the Plone official Docker version 5.2.13 (5221), allowing unauthenticated attackers to execute dangerous actions such as uploading files to the server...7.5Feb 8, 2024
CVE-2024-23054An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution due to a package listed in ++plone++static/components not existing in the publi...9.8Feb 5, 2024
CVE-2024-23055An issue in Plone Docker Official Image 5.2.13 (5221) open-source software allows for remote code execution via improper validation of input by the HOST headers.6.1Jan 25, 2024
CVE-2024-0669Cross-Frame Scripting (XFS) on Plone CMS6.3Jan 18, 2024
CVE-2023-42457plone.rest vulnerable to Denial of Service when ++api++ is used many times7.5Sep 21, 2023
CVE-2023-41048plone.namedfile vulnerable to Stored Cross Site Scripting with SVG images3.7Sep 21, 2023
CVE-2021-33926An issue in Plone CMS v. 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1rc2, 5.1rc1, 5.1b4, 5.1b3, 5.1b2, 5.1a2, 5.1a1, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.2, 5.1.1 5.1, 5.0rc3, 5.0rc2, 5.0rc1, 5.0.9, 5.0.8, 5....8.8Feb 17, 2023
CVE-2022-24740Improper Authentication in Volto5.0Mar 14, 2022
CVE-2022-23599Cross-site Scripting and Open Redirect in Products.ATContentTypes4.3Jan 28, 2022
CVE-2021-32806URL Redirection to Untrusted Site ('Open Redirect') in Products.isurlinportal6.5Aug 2, 2021
CVE-2021-35959In Plone 5.0 through 5.2.4, Editors are vulnerable to XSS in the folder contents view, if a Contributor has created a folder with a SCRIPT tag in the description field.5.4Jun 30, 2021
CVE-2021-33507Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS.6.1May 21, 2021