Plone released (with Zope security fix)

Release notes for Plone

For technical wizards who want to jump straight in, here are two important links:


Major changes since 5.2.10:

  • Zope: Security fix for a Cross Site Scripting vulnerability. See announcement. The security fix is in Zope 4.8.4, but there were a few regressions, so we use 4.8.6.
  • plone.protect: fix test that failed after the security fix.

Python compatibility

This release supports Python 2.7, 3.7, and 3.8.

Python 3.6 is no longer supported.

See the community announcement.

Note that both Python 2.7 and 3.6 have reached end of life.

This means the wider Python community no longer supports it.

For example, the default WSGI server used by Plone, which is waitress, has a security problem that is only solved on Python 3.7 and higher. If you use waitress on earlier Python versions, you are vulnerable.

Python 3.7 will reach end of life in June 2023.

See Status of Python Versions for the canonical information.

It will get harder to test and support Plone on unsupported Python versions.

Especially Python 2.7 should only be used as a temporary stepping stone before you migrate your Plone site to Python 3.


For installation instructions, see the documentation.


If you find any issues, please report them in the main issue tracker.