Plone released (with Zope security fix)

Release notes for Plone

For technical wizards who want to jump straight in, here are two important links:


Major changes since 6.0.0:

  • Zope: Security fix for a Cross Site Scripting vulnerability. See announcement. The security fix is in Zope 5.7.1, but there were a few regressions, so we use 5.7.3.
  • plone.protect: fix test that failed after the security fix.
  • plone.volto: A few textual improvements in the default created pages and the migration wizard.

Volto frontend

The default frontend for Plone 6 is Volto. Latest release is 16.5.0. See the changelog.
Note that this is a JavaScript frontend that you need to run in a separate process with NodeJS.
The Classic UI is still available when you only run the Python process.

Python compatibility

This release supports Python 3.8, 3.9, 3.10, and 3.11.


For installation instructions, see the documentation.


If you find any issues, please report them in the main issue tracker.

1 Like

Thanks for all effort

Can anyone confirm "click the content tag" and check the 2nd page of the search result is wrong?

I have a report here and bug tracker for this issue, but it appears that I only have it. Anyone can do some test for it? has not been update yet

On the server, 6.0-latest is a symlink that correctly points to When I open the constraints.txt in my browser, I see Zope==5.7.3 in there, so that is correct.
Might be some caching, we have CloudFlare in front of this.

it really was some cache. it worked now.

I upgraded to Plone and now I get the error:

2022-12-21 17:54:45 WARNING [][waitress-0] No such index: 'sort_on'
2022-12-21 17:54:45 WARNING [][waitress-0] No such index: 'sort_order'

When running the search:


I have a 6.0.0 site that doesn't show this in the same search.

Perhaps the error @mactrash is having could be related to the error I saw. Perhaps there is a problem with the Catalog.

I think this is a regression from handle sort_on and sort_order parameters to allow both lists and strings by erral · Pull Request #1533 · plone/plone.restapi · GitHub -- there is a missing continue after line 110 in, @erral

FYI fix: add missing continue to avoid unneeded warnings in logs by erral · Pull Request #1559 · plone/plone.restapi · GitHub

I was also seeing this but I didn't remember whether I was seeing before my fix.

@davisagli thanks for fixing this!

I have a 6.0.0 site that doesn't show this in the same search.

The 6.0.0 site I used to test this was one created with the Volto repository buildout:

Then I went to check, and I saw that it pins an outdated version of plone.restapi, compared to Plone 6.0.0, which does not contain the @erral change:

So I thought it could be a Catalog problem used by Plone But actually Plone 6.0.0 already has this problem, if used correct version of plone.restapi.

I understand the need for Volto to use a more recent version of plone.restapi, but when the Plone version is updated in buildout, the plone.restapi version has to be checked in versions.cfg, so it doesn't get out of date. In fact, I think that several versions.cfg pinns should be removed from there, to avoid this problem.