Mailing List Archive

Zope 4.6.3 and 5.3 released with a security fix
On behalf of Zope developer community I am pleased to announce the releases of Zope 4.6.3 and 5.3.

This bugfix release solves a few minor issues and contains a security fix. For the full list of changes see the change logs at and

Installation instructions can be found at and

These releases contain a security fix that prevents remote code execution through Script (Python) objects. You are only at risk if all of the following are true:

- You use Python 3 for your Zope deployment (Zope 4 on Python 2 is not affected)
- You run Zope 4 below version 4.6.3 or Zope 5 below version 5.3
- You have installed the optional Products.PythonScripts add-on package
- You allow untrusted non-admin users to add or edit Script (Python) objects

By default, untrusted non-admin users cannot add or edit Script (Python) objects, only “Manager” users can. Enabling this level of access for untrusted users would be a very unusual configuration and it is highly unlikely any site administrator would do so to begin with.

The related security advisories with full details are published here:


NOTE FOR PLONE USERS: Make sure to install the latest version of PloneHotfix20210518 first, which should appear shortly after this Zope release. See Don't install Zope 4.6.3 or 5.3 into an existing Plone setup without testing. The PloneHotfix packages ensures that the Zope changes don’t interfere with Plone add-ons.

Jens Vagelpohl