Severity by source
iCal import in Plone typically requires an authenticated contributor role; impact is pure availability loss with no confidentiality or integrity effect.
Lifecycle Timeline
1Description PRE-NVD
AnalysisAI
Denial-of-service via malformed iCalendar import in Plone's plone.app.event package, rated 9.1 critical, enables remote disruption of affected Plone installations by submitting a crafted ICS file to the event import endpoint. Disclosed June 23, 2026 as part of a coordinated Plone security release addressing six distinct vulnerabilities across multiple packages. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the ability to submit an iCalendar (ICS) file to Plone's event import functionality. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The 9.1 critical CVSS score is atypically high for a pure denial-of-service finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with access to Plone's iCalendar import endpoint submits a specially crafted ICS file - for example, one containing a pathologically complex recurrence rule, deeply nested components, or an extremely large calendar dataset - triggering unbounded resource consumption in the server-side parser. The Plone application process exhausts CPU or memory attempting to process the malformed input, rendering the site unavailable to legitimate users until the process is restarted or a timeout is enforced. … |
| Remediation | Consult the official vendor advisory at https://github.com/plone/plone.app.event/security/advisories/GHSA-r82h-mqw3-fc56 for the confirmed patched version of plone.app.event. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Plone deployments using plone.app.event package and document affected versions; restrict event import endpoint access to known, trusted IP sources via firewall rules. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today