CVE-2021-33926
Description
An issue in Plone CMS v. 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1rc2, 5.1rc1, 5.1b4, 5.1b3, 5.1b2, 5.1a2, 5.1a1, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.2, 5.1.1 5.1, 5.0rc3, 5.0rc2, 5.0rc1, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.10, 5.0.1, 5.0, 4.3.9, 4.3.8, 4.3.7, 4.3.6, 4.3.5, 4.3.4, 4.3.3, 4.3.20, 4 allows attacker to access sensitive information via the RSS feed protlet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Plone CMS RSS feed portlet allows unauthenticated access to sensitive information across multiple versions.
Vulnerability
Overview The vulnerability resides in the RSS feed portlet of Plone CMS, affecting a wide range of versions from 4.0 up to 5.2.4. The portlet fails to properly restrict access to sensitive information, leading to information disclosure [1].
Exploitation
An attacker can exploit this by accessing the RSS feed portlet, which may not require authentication, depending on the site configuration. No special privileges are needed to trigger the information leakage [4].
Impact
Successful exploitation allows an attacker to obtain sensitive information that should otherwise be protected, potentially compromising user privacy or revealing internal data [1].
Mitigation
As of the latest advisories, no official patch is mentioned for this specific issue. Users are advised to review their Plone installation and consider disabling the RSS feed portlet if not needed, and monitor for updates from Plone's official channels [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
PlonePyPI | >= 4.3, < 5.2.5 | 5.2.5 |
Affected products
2- Plone CMS/Plone CMSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-47p5-p3jw-w78wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-33926ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2023-289.yamlghsaWEB
- github.com/s-kustm/Subodh/blob/master/Plone%205.2.4%20Vulnerable%20to%20bilend%20SSRF.pdfghsaWEB
- plone.org/security/hotfix/20210518ghsaWEB
- plone.org/security/hotfix/20210518/blind-ssrf-via-feedparser-accessing-an-internal-urlghsaWEB
News mentions
0No linked articles in our index yet.