CVE-2026-24352

Vulnerability

Overview

CVE-2026-24352 describes a session fixation vulnerability in PluXml CMS. The application permits a user's session identifier (session ID) to be set before any authentication occurs. Critically, the same session ID is retained after the user successfully authenticates. This violates the security principle that session IDs should be regenerated upon login to prevent fixation attacks [1].

Attack

Vector

An attacker can exploit this by first establishing a session with the application (for example, by visiting the PluXml installation) and obtaining a valid, unauthenticated session ID. The attacker then tricks a victim into using that same session ID (e.g., through a crafted link or social engineering). When the victim logs in (authenticates) while holding that session ID, the authenticated session inherits the same identifier. The attacker, who knows the session ID, can then hijack the victim's authenticated session, gaining access to the victim's account and privileges [1].

Impact

Successful exploitation allows an attacker to take over any victim's session after authentication. This can lead to unauthorized access to the CMS administrative panel, modification of content, data exfiltration, or other malicious actions depending on the victim's assigned permissions. The vulnerability is rated Critical (CVSS 9.8) due to its low complexity, no required privileges, and no user interaction beyond the victim authenticating [1].

Mitigation

As of publication, the vendor has not responded with details about the vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed vulnerable; other versions may also be affected. No official patch has been released. Administrators are advised to monitor the PluXml website for updates and consider implementing external session management controls until a fix is provided [1].