Use of Externally-Controlled Format String
An attacker can access private content via Python's str.format vulnerability in through-the-web templates and scripts in Plone. This improves an earlier hotfix. Since the format method was introduced in Python 2.6, this part of the hotfix is only relevant for Plone 4 and 5.
CWE-134 - Use of Externally-Controlled Format String
The software uses a function that accepts a format string as an argument, but the format string originates from an external source.