Home

Description

PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

PUBLISHED Reserved 2026-01-22 | Published 2026-02-27 | Updated 2026-02-27 | Assigner CERT-PL




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status
unknown

5.9.0-rc7 (custom)
affected

5.8.21 (semver)
affected

Credits

Arkadiusz Marta finder

References

cert.pl/posts/2026/03/CVE-2026-24350 third-party-advisory

pluxml.org/ product

cve.org (CVE-2026-24351)

nvd.nist.gov (CVE-2026-24351)

Download JSON