← back
CVE-2026-24351

Stored XSS in PluXml CMS

CVSS 5.1 MEDIUMEPSS 0.2%CWE-79
PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Affected products
PluXml · PluXml CMS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://cert.pl/posts/2026/03/CVE-2026-24350https://pluxml.org/