Skip to main content

Pluxml CVE-2026-24351

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-02-27 cvd@cert.pl
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
CVSS changed
May 19, 2026 - 22:22 NVD
5.4 (MEDIUM) 5.1 (MEDIUM)
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Feb 27, 2026 - 12:16 nvd
MEDIUM 5.4

DescriptionCVE.org

PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

AnalysisAI

PluXml CMS versions 5.8.21 and 5.9.0-rc7 contain a stored cross-site scripting vulnerability in the static pages editor that allows authenticated users with editing privileges to inject malicious JavaScript and HTML into pages. When other users visit the compromised pages, the injected code executes in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available from the vendor.

Technical ContextAI

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects the Static Pages editing component of Pluxml. PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

RemediationAI

Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

More in Pluxml

View all
CVE-2012-2227 HIGH POC
7.5 Aug 26

Directory traversal vulnerability in update/index.php in PluXml before 5.1.6 allows remote attackers to include and exec

CVE-2020-18185 CRITICAL POC
9.8 Oct 02

class.plx.admin.php in PluXml 5.7 allows attackers to execute arbitrary PHP code by modify the configuration file in a l

CVE-2022-25018 HIGH POC
8.8 Mar 01

Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary code via crafted PHP code inserted into static page

CVE-2024-22636 HIGH POC
8.8 Jan 25

PluXml Blog v5.8.9 was discovered to contain a remote code execution (RCE) vulnerability in the Static Pages feature. Ra

CVE-2022-25020 MEDIUM POC
5.4 Mar 01

A cross-site scripting (XSS) vulnerability in Pluxml v5.8.7 allows attackers to execute arbitrary web scripts or HTML vi

CVE-2021-38603 MEDIUM POC
4.8 Aug 12

PluXML 5.8.7 allows core/admin/profil.php stored XSS via the Information field. Rated medium severity (CVSS 4.8), this v

CVE-2021-38602 MEDIUM POC
4.8 Aug 12

PluXML 5.8.7 allows Article Editing stored XSS via Headline or Content. Rated medium severity (CVSS 4.8), this vulnerabi

CVE-2017-1001001 MEDIUM
5.4 Nov 01

PluXml version 5.6 is vulnerable to stored cross-site scripting vulnerability, within the article creation page, which c

CVE-2026-24350 MEDIUM
5.4 Feb 27

Stored XSS in PluXml CMS file upload functionality allows authenticated attackers to embed malicious payloads in SVG fil

CVE-2025-70129 MEDIUM
5.3 Mar 10

If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is enabled, a captcha challenge is generate

CVE-2012-4674 MEDIUM
5.0 Aug 26

PluXml before 5.1.6 allows remote attackers to obtain the installation path via the PHPSESSID. Rated medium severity (CV

CVE-2012-4675 MEDIUM
4.3 Aug 26

Cross-site scripting (XSS) vulnerability in PluXml 5.1.6 allows remote attackers to inject arbitrary web script or HTML

Share

CVE-2026-24351 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy