CVE-2024-22889

HIGH

Plone 6.0.9 - Unauthenticated Arbitrary File Read via Crafted Request

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-22889. PoCs published by shenhav12.

AI-analyzed exploit summary The repository lacks functional exploit code and instead promises a 'POC coming soon,' which is a common tactic in suspicious repos. No technical details or actual exploit code are provided.

Description

Due to incorrect access control in Plone version v6.0.9, remote attackers can view and list all files hosted on the website via sending a crafted request.

Exploits (1)

nomisec SUSPICIOUS

by shenhav12 · poc

https://github.com/shenhav12/CVE-2024-22889-Plone-v6.0.9

View Code ZIP pw:eip

The repository lacks functional exploit code and instead promises a 'POC coming soon,' which is a common tactic in suspicious repos. No technical details or actual exploit code are provided.

Classification

Suspicious 90%

Attack Type

Info Leak

Complexity

Theoretical

Reliability

Theoretical

Target: Plone CMS v6.0.9

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory

https://github.com/shenhav12/CVE-2024-22889-Plone-v6.0.9

Scores

CVSS v3 7.5

EPSS 0.0055

EPSS Percentile 68.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-276

Status published

Products (2)

plone/plone 6.0.9

pypi/Plone 0PyPI

Published Mar 06, 2024

Tracked Since Feb 18, 2026