Which versions of Session Fixation are affected by CVE-2026-24352?

CVE-2026-24352 is a critical session fixation vulnerability in PluXml CMS that allows attackers to hijack user sessions and gain unauthorized access to accounts, including administrative privileges.

Session Fixation CVE-2026-24352

Q: What is the CVSS score of CVE-2026-24352?

CVE-2026-24352 has a CVSS 4.0 base score of 4.8 (Medium). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

MEDIUM

Session Fixation (CWE-384)

2026-02-27 cvd@cert.pl

Information Disclosure Session Fixation

4.8

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Severity Changed

May 19, 2026 - 22:22 NVD

CRITICAL MEDIUM

CVSS changed

May 19, 2026 - 22:22 NVD

9.8 (CRITICAL) 4.8 (MEDIUM)

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 27, 2026 - 12:16 nvd

CRITICAL 9.8

DescriptionNVD

PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

AnalysisAI

Session fixation vulnerability in PluXml CMS allows attackers to set session identifiers before authentication, enabling session hijacking after the victim logs in.

RemediationAI

Within 24 hours: Identify all systems running PluXml CMS and isolate them from production if possible; disable public access and restrict to VPN-only. Within 7 days: Implement WAF rules to detect and block session fixation attempts; enforce session regeneration at login via application configuration or reverse proxy; audit logs for suspicious session activity. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-24352 vulnerability details – vuln.today

Back

Session Fixation CVE-2026-24352

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Session Fixation CVE-2026-24352

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code