CVE-2026-24352

Medium CVSS: 4.8

PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID
for a victim and later hijack the authenticated session.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Vendor

Pluxml

Product

Pluxml

CWE

CWE-384

Yayın Tarihi

2026-02-27 12:16:03

Güncelleme

2026-02-27 18:36:00

Source Identifier

cvd@cert.pl

KEV Date Added

Kategoriler

CWE-384 Pluxml MEDIUM Pluxml 2026

Referanslar

https://cert.pl/posts/2026/03/CVE-2026-24350 https://pluxml.org/

Benzer Kayıtlar

Medium

CVE-2025-70128

A Stored Cross-Site Scripting (XSS) vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.…

Medium

CVE-2025-70129

If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is enabled, a captcha challenge is generate…

Medium

CVE-2026-24351

PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can injec…

Medium

CVE-2026-24350

PluXml CMS is vulnerable to Stored XSS in file uploading functionality. An authenticated attacker can upload an SVG file…

Medium

CVE-2025-15438

A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file co…

Medium

CVE-2025-67436

Authenticated Remote Code Execution (RCE) in PluXml CMS 5.8.22 allows an attacker with administrator panel access to inj…