{"id":"PYSEC-2026-896","summary":"Plone XSS Vulnerability","details":"Cross-site scripting (XSS) vulnerability in `skins/plone_templates/default_error_message.pt` in Plone before 2.5.3 allows remote attackers to inject arbitrary web script or HTML via the type_name parameter to `Members/ipa/createObject`.","aliases":["CVE-2011-1340","GHSA-cvwc-g7fw-7xrj"],"modified":"2026-07-07T11:45:17.357105448Z","published":"2026-07-06T08:03:27.502739Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2011-1340"},{"type":"WEB","url":"https://web.archive.org/web/20110816092954/http://dev.plone.org/plone/changeset/12262"},{"type":"WEB","url":"https://web.archive.org/web/20110817133423/https://dev.plone.org/plone/ticket/6110"},{"type":"WEB","url":"http://jvn.jp/en/jp/JVN41222793/index.html"},{"type":"WEB","url":"http://jvndb.jvn.jp/jvndb/JVNDB-2011-000056"},{"type":"PACKAGE","url":"https://pypi.org/project/plone"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-cvwc-g7fw-7xrj"}],"affected":[{"package":{"name":"plone","ecosystem":"PyPI","purl":"pkg:pypi/plone"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.5.3"}]}],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/plone/PYSEC-2026-896.yaml"}}],"schema_version":"1.7.5"}