Skip to main content

Pluxml CVE-2026-24350

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-02-27 cvd@cert.pl
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Feb 27, 2026 - 12:16 nvd
MEDIUM 5.4

DescriptionCVE.org

PluXml CMS is vulnerable to Stored XSS in file uploading functionality. An authenticated attacker can upload an SVG file containing a malicious payload, which will be executed when a victim clicks the link associated with the uploaded image. In version 5.9.0-rc7 clicking the link associated with the uploaded image doesn't execute malicious code but directly accessing the file will still execute the embedded payload.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

AnalysisAI

Stored XSS in PluXml CMS file upload functionality allows authenticated attackers to embed malicious payloads in SVG files that execute when victims directly access the uploaded files. The vulnerability affects at least versions 5.8.21 and 5.9.0-rc7, with other versions untested. No patch is currently available from the vendor.

Technical ContextAI

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects the file uploading component of Pluxml. PluXml CMS is vulnerable to Stored XSS in file uploading functionality. An authenticated attacker can upload an SVG file containing a malicious payload, which will be executed when a victim clicks the link associated with the uploaded image. In version 5.9.0-rc7 clicking the link associated with the uploaded image doesn't execute malicious code but directly accessing the file will still execute the embedded payload.

The vendor was notified early about this vulnerability, but didn't respond with

RemediationAI

Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

More in Pluxml

View all
CVE-2012-2227 HIGH POC
7.5 Aug 26

Directory traversal vulnerability in update/index.php in PluXml before 5.1.6 allows remote attackers to include and exec

CVE-2020-18185 CRITICAL POC
9.8 Oct 02

class.plx.admin.php in PluXml 5.7 allows attackers to execute arbitrary PHP code by modify the configuration file in a l

CVE-2022-25018 HIGH POC
8.8 Mar 01

Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary code via crafted PHP code inserted into static page

CVE-2024-22636 HIGH POC
8.8 Jan 25

PluXml Blog v5.8.9 was discovered to contain a remote code execution (RCE) vulnerability in the Static Pages feature. Ra

CVE-2022-25020 MEDIUM POC
5.4 Mar 01

A cross-site scripting (XSS) vulnerability in Pluxml v5.8.7 allows attackers to execute arbitrary web scripts or HTML vi

CVE-2021-38603 MEDIUM POC
4.8 Aug 12

PluXML 5.8.7 allows core/admin/profil.php stored XSS via the Information field. Rated medium severity (CVSS 4.8), this v

CVE-2021-38602 MEDIUM POC
4.8 Aug 12

PluXML 5.8.7 allows Article Editing stored XSS via Headline or Content. Rated medium severity (CVSS 4.8), this vulnerabi

CVE-2017-1001001 MEDIUM
5.4 Nov 01

PluXml version 5.6 is vulnerable to stored cross-site scripting vulnerability, within the article creation page, which c

CVE-2025-70129 MEDIUM
5.3 Mar 10

If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is enabled, a captcha challenge is generate

CVE-2026-24351 MEDIUM
5.1 Feb 27

PluXml CMS versions 5.8.21 and 5.9.0-rc7 contain a stored cross-site scripting vulnerability in the static pages editor

CVE-2012-4674 MEDIUM
5.0 Aug 26

PluXml before 5.1.6 allows remote attackers to obtain the installation path via the PHPSESSID. Rated medium severity (CV

CVE-2012-4675 MEDIUM
4.3 Aug 26

Cross-site scripting (XSS) vulnerability in PluXml 5.1.6 allows remote attackers to inject arbitrary web script or HTML

Share

CVE-2026-24350 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy