{"id":"PYSEC-2026-459","summary":"Plone Unauthenticated Write Vulnerability","details":"A privilege escalation issue in plone.app.contenttypes in Plone 4.3 through 5.2.1 allows users to PUT (overwrite) some content without needing write permission.","aliases":["CVE-2020-7941","GHSA-w6g9-xccc-347h","PYSEC-2020-90"],"modified":"2026-07-01T20:23:00.383868Z","published":"2026-06-29T11:50:32.119427Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7941"},{"type":"PACKAGE","url":"https://github.com/plone/plone.app.contenttypes"},{"type":"WEB","url":"https://github.com/plone/plone.app.contenttypes/blob/master/CHANGES.rst?plain=1#L372-L374"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2020-90.yaml"},{"type":"WEB","url":"https://plone.org/security/hotfix/20200121"},{"type":"WEB","url":"https://plone.org/security/hotfix/20200121/privilege-escalation-for-overwriting-content"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2020/01/22/1"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2020/01/24/1"},{"type":"PACKAGE","url":"https://pypi.org/project/plone-app-contenttypes"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-w6g9-xccc-347h"}],"affected":[{"package":{"name":"plone-app-contenttypes","ecosystem":"PyPI","purl":"pkg:pypi/plone-app-contenttypes"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.0","1.0b1","1.0b2","1.0rc1","1.1","1.1.1","1.1.2","1.1.3","1.1.4","1.1.5","1.1.6","1.1.7","1.1.8","1.1.9","1.1a1","1.1b1","1.1b2","1.1b3","1.1b4","1.1b5","1.1b6","1.2.0","1.2.1","1.2.10","1.2.11","1.2.12","1.2.13","1.2.14","1.2.15","1.2.16","1.2.17","1.2.18","1.2.19","1.2.2","1.2.20","1.2.21","1.2.22","1.2.23","1.2.24","1.2.25","1.2.26","1.2.27","1.2.3","1.2.4","1.2.5","1.2.6","1.2.7","1.2.8","1.2.9","1.2a1","1.2a2","1.2a3","1.2a4","1.2a5","1.2a6","1.2a7","1.2a8","1.2a9","1.2b1","1.2b2","1.2b3","1.2b4","1.3.0","1.4","1.4.1","1.4.10","1.4.11","1.4.12","1.4.13","1.4.14","1.4.15","1.4.16","1.4.17","1.4.18","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.4.7","1.4.8","1.4.9","2.0.0","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.1.0","2.1.1","2.1.10","2.1.2","2.1.3","2.1.4","2.1.5","2.1.6","2.1.7","2.1.8","2.1.9","2.2.0","2.2.1","2.2.2","2.2.3","3.0.0","3.0.0a1","3.0.0a10","3.0.0a11","3.0.0a12","3.0.0a13","3.0.0a2","3.0.0a3","3.0.0a4","3.0.0a5","3.0.0a6","3.0.0a7","3.0.0a8","3.0.0a9","3.0.0b1","3.0.0b2","3.0.1","3.0.10","3.0.11","3.0.12","3.0.2","3.0.3","3.0.4","3.0.5","3.0.6","3.0.7","3.0.8","3.0.9","4.0.0","4.0.1","4.0.10","4.0.2","4.0.3","4.0.4","4.0.5","4.0.6","4.0.7","4.0.8","4.0.9","5.0.0","5.0.0a1","5.0.0a2","5.0.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/plone-app-contenttypes/PYSEC-2026-459.yaml","last_known_affected_version_range":"\u003c 2.1.6"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}