CVE-2026-11434
Description
FluentCMS Blocks Plugin suffers from Stored XSS, allowing remote attackers to inject and execute malicious scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FluentCMS Blocks Plugin suffers from Stored XSS, allowing remote attackers to inject and execute malicious scripts.
Vulnerability
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Blocks Plugin component of FluentCMS, specifically within the /admin/blocks file. The application fails to properly validate and sanitize user inputs, allowing attackers to inject malicious scripts that are stored on the server. The affected version is FluentCMS 0.0.5 [1].
Exploitation
An attacker can exploit this vulnerability by authenticating with an administrator account and navigating to the Blocks menu. After clicking "Add Block", the attacker can insert a malicious script payload into the "Content" field. The script is stored when the entry is submitted. The attacker can then trigger the script's execution by having a victim access a page preview or the page itself, where the injected block is displayed [1].
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, data theft, or further compromise of the user's account and system, as the script runs with the privileges of the victim's browser session [1].
Mitigation
No patched version or specific mitigation details have been disclosed in the available references. The vendor was contacted but did not respond. The exploit has been made publicly available [1].
AI Insight generated on Jun 6, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application fails to properly validate and sanitize user inputs in the Blocks Plugin, allowing for script injection."
Attack vector
An attacker with administrative privileges must first access the 'Blocks menu' and click the 'Add Block' button to set up a new entry. The attacker then inserts a malicious script payload into the 'Content' field and submits the form. Subsequently, the attacker accesses the page preview endpoint '/?pagePreview=1', drags and drops the created Block Plugin onto the page, and selects it. Finally, any user accessing the page will have the malicious script executed in their browser [ref_id=1].
Affected code
The vulnerability resides within the Blocks Plugin of the FluentCMS application, specifically related to the handling of user input in the '/admin/blocks' file. The application fails to validate and sanitize data entered into the 'Content' field when creating or editing blocks [ref_id=1].
What the fix does
The advisory does not provide information about a patch or specific remediation steps. It only states that the vendor was contacted and did not respond. Therefore, no fix explanation can be provided.
Preconditions
- authThe attacker must authenticate with an administrator account.
- inputThe attacker must inject a script payload into the 'Content' field of a block.
Reproduction
Authenticate with admin account and access 'Blocks menu'. Click on 'Add Block' button to setup a new entry. Insert the payload '><img src=x onerror=alert(\'CVE-Hunters\')>' in field 'Content' and type any value in another fields, click on 'Submit'. Then, access page preview by this endpoint: '/?pagePreview=1'. Drag and drop the Block Plugin in any place at the page. Click on 'Select' button. Select the Block that was set up before. At least, access the page like an usual user and the script will execute automatically [ref_id=1].
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.