Medium severity5.7NVD Advisory· Published May 4, 2026· Updated May 5, 2026

CVE-2026-31205

Description

Cross Site Scripting vulnerability in Pluck CMS before v.4.7.21dev allows a remote attacker to escalate privileges via the editpage.php and the sanitizePageContent function

Affected products

Pluck/Pluckreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/pluck-cms/pluck/blob/main/data/inc/editpage.phpnvd
github.com/pluck-cms/pluck/blob/main/data/inc/functions.all.phpnvd
github.com/pluck-cms/pluck/issues/141nvd
medium.com/@nakah_/pluck-cms-stored-xss-in-page-editor-cve-2026-31205-3b0526743e1dnvd

News mentions

No linked articles in our index yet.

cvss	0.371
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000