VYPR
← All advisories
Medium severity5.4NVD Advisory· Published Feb 27, 2026· Updated May 19, 2026

CVE-2026-24351

CVE-2026-24351

Description

PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

PluXml CMS suffers from stored XSS in static pages, allowing authenticated editors to inject arbitrary HTML/JS.

The vulnerability is a stored cross-site scripting (XSS) in PluXml CMS's static pages editing function. An attacker with editing privileges can inject arbitrary HTML and JavaScript code into a static page, which will be rendered and executed when visitors access that page [1].

Exploitation requires an attacker to have an account with at least editing-level permissions. No other authentication bypass is needed. The attacker crafts malicious content in the static page editor, which is then stored and served to all users.

The impact includes theft of session cookies, redirection to malicious sites, defacement, or other actions within the context of the victim's browser. The tested versions are 5.8.21 and 5.9.0-rc7, but other versions may also be affected.

The vendor was notified but did not respond with details or a patch. As of publication, no official fix is available. Users should restrict editing privileges and monitor for updates.

References
  1. Accueil - PluXml

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Pluxml/Pluxmlllm-fuzzy
    Range: =5.8.21, =5.9.0-rc7
  • PluXml/PluXml CMSv5
    Range: 5.9.0-rc7

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.