Server-Side Request Forgery (SSRF)
Plone allows SSRF attacks via the tracebacks feature (only available to the Manager role).
Advisories for Pypi/Plone.app.event package
2021
Improper Restriction of XML External Entity Reference
Plone allows XXE attacks via a feature that is explicitly only available to the Manager role.
Improper Restriction of XML External Entity Reference
Plone allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).