Bypass Restricted Python

A user who can create or edit templates can bypass Restricted Python.

Versions affected

  • 5.1a1
  • 5.0.4
  • 5.0.3
  • 5.0.2
  • 5.0.1
  • 5.0
  • 5.0rc3
  • 5.0rc2
  • 5.0rc1


This vulnerability should only affect site administrators who have ZMI access, or when you gave users permission to edit PloneFormGen templates. Only Chameleon ( is affected. This package is used by default in Plone 5, and can be added in Plone 4.

Current status



Discovered by

  • Fred van Dijk and Maurits van Rees

Fixed by

  • Plone Security Team

Coordinated by

  • Plone Security Team