Skip to main content

plone.app.event CVE-2026-55247

CRITICAL
2026-06-23
Share

Severity by source

vuln.today AI
6.5 MEDIUM

iCal import in Plone typically requires an authenticated contributor role; impact is pure availability loss with no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Lifecycle Timeline

1
Analysis Generated
Jun 23, 2026 - 20:19 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Denial-of-service via malformed iCalendar import in Plone's plone.app.event package, rated 9.1 critical, enables remote disruption of affected Plone installations by submitting a crafted ICS file to the event import endpoint. Disclosed June 23, 2026 as part of a coordinated Plone security release addressing six distinct vulnerabilities across multiple packages. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Access Plone iCal import endpoint
Delivery
Submit specially crafted ICS file
Exploit
Trigger unbounded resource consumption in iCalendar parser
Execution
Plone server process exhausts CPU or memory
Impact
Site-wide denial of service for all users

Vulnerability AssessmentAI

Exploitation Exploitation requires the ability to submit an iCalendar (ICS) file to Plone's event import functionality. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The 9.1 critical CVSS score is atypically high for a pure denial-of-service finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with access to Plone's iCalendar import endpoint submits a specially crafted ICS file - for example, one containing a pathologically complex recurrence rule, deeply nested components, or an extremely large calendar dataset - triggering unbounded resource consumption in the server-side parser. The Plone application process exhausts CPU or memory attempting to process the malformed input, rendering the site unavailable to legitimate users until the process is restarted or a timeout is enforced. …
Remediation Consult the official vendor advisory at https://github.com/plone/plone.app.event/security/advisories/GHSA-r82h-mqw3-fc56 for the confirmed patched version of plone.app.event. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Plone deployments using plone.app.event package and document affected versions; restrict event import endpoint access to known, trusted IP sources via firewall rules. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55247 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy