CVE-2026-24351

Medium CVSS: 5.1

PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Vendor

Pluxml

Product

Pluxml

CWE

CWE-79

Yayın Tarihi

2026-02-27 12:16:03

Güncelleme

2026-02-27 18:34:15

Source Identifier

cvd@cert.pl

KEV Date Added

Kategoriler

CWE-79 Pluxml MEDIUM Pluxml 2026

Referanslar

https://cert.pl/posts/2026/03/CVE-2026-24350 https://pluxml.org/

Benzer Kayıtlar

Medium

CVE-2025-70128

A Stored Cross-Site Scripting (XSS) vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.…

Medium

CVE-2025-70129

If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is enabled, a captcha challenge is generate…

Medium

CVE-2026-24352

PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the sa…

Medium

CVE-2026-24350

PluXml CMS is vulnerable to Stored XSS in file uploading functionality. An authenticated attacker can upload an SVG file…

Medium

CVE-2025-15438

A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file co…

Medium

CVE-2025-67436

Authenticated Remote Code Execution (RCE) in PluXml CMS 5.8.22 allows an attacker with administrator panel access to inj…