TL;DR
Plone patched three critical flaws across two add-on packages. The worst is a Plone RCE vulnerability scoring 9.9 on CVSS. Two more bugs enable denial of service, SSRF, and stored XSS.
Why It Matters
Plone runs sites for businesses, governments, and universities. The project has a long reputation for security. So a 9.9 flaw stands out. A code execution flaw hands an attacker the server process. From there, they could read data or pivot inside the network. Worse, regular users can reach the worst bug by default. So this Plone RCE vulnerability deserves immediate attention.
How the Attacks Work
CVE-2026-57149: TALES injection to RCE (CVSS 9.9)
The top flaw lives in the Classic portlet. It builds a TALES path expression from user-supplied fields. Plone then evaluates that value as a full expression. So a crafted entry runs as code in the Plone process. The result is a privilege jump from web user to server. Any user who can add a Classic portlet can trigger it. The project’s RCE advisory explains the TALES path issue.
CVE-2026-55247 and CVE-2026-55248: DoS, SSRF, and XSS (CVSS 9.1)
The other two flaws score 9.1 each. One abuses the iCalendar import feature in plone.app.event. The other abuses an RSS feed portlet. A large linked file can exhaust server memory. Both can also probe the internal network and open ports. Each can store cross-site scripting payloads as well.
Affected Versions
The flaws affect Plone 6.0, 6.1, and 6.2. They live in the plone.app.portlets and plone.app.event packages.
Patch and Mitigation
Patch the Plone RCE vulnerability first. For portlets, move to 7.0.2, 6.0.4, or 5.0.8 by branch. For events, move to 6.0.1 or 5.2.4 by branch. Until you patch, limit who can manage portlets. Also restrict the iCalendar import permission to trusted roles. Note one stored-XSS issue has no clean workaround. So far, no public proof-of-concept or in-the-wild exploitation has been confirmed.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.