Skip to main content

Plone CMS CVE-2026-54503

CRITICAL
2026-06-23
Share

Severity by source

vuln.today AI
5.4 MEDIUM

Upload requires at least Contributor role (PR:L); victim must view content (UI:R); XSS crosses into victim browser context (S:C); confidentiality and integrity limited to browser-session scope.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Lifecycle Timeline

1
Analysis Generated
Jun 23, 2026 - 20:17 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Stored cross-site scripting in Plone CMS enables persistent script injection by spoofing file MIME types within the plone.app.textfield and plone.restapi packages, announced June 5, 2026. An attacker with content-upload access can craft a file whose declared MIME type bypasses Plone's content-type enforcement, causing browsers to render the payload as HTML or JavaScript when other users access the stored content. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate to Plone as Contributor
Delivery
Upload file with spoofed MIME type via web UI or REST API
Exploit
Payload stored persistently in Plone content database
Install
Victim user navigates to or previews stored file
C2
Browser renders content as HTML/JS
Execute
XSS payload executes in victim browser context
Impact
Session token or credentials exfiltrated

Vulnerability AssessmentAI

Exploitation The attacker must hold a Plone user account with at minimum the Contributor role (or equivalent upload permission) on the target site - unauthenticated exploitation is not supported by the available data. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS score of 4.3 moderate places this below the threshold of urgent emergency patching, and no EPSS data, KEV listing, or POC availability was indicated in the provided intelligence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Plone contributor uploads a document with its MIME type header manipulated to text/html (or a similar executable type) while the actual file content contains a JavaScript payload. Plone stores the file alongside its attacker-supplied MIME metadata. …
Remediation Consult the individual GitHub Security Advisories for plone.app.textfield (GHSA-4r4f-gg25-rmg5) and plone.restapi (GHSA-8rqh-vxpr-x77p) to obtain the exact patched versions and apply upgrades via pip. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: audit Plone instances and restrict file-upload permissions to fully trusted internal users; enable comprehensive audit logging for all file operations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54503 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy