Description

CERT Polska has received a report about vulnerabilities in PluXml CMS software and participated in coordination of their disclosure.

The vulnerability CVE-2026-24350: PluXml CMS is vulnerable to Stored XSS in file uploading functionality. An authenticated attacker can upload an SVG file containing a malicious payload, which will be executed when a victim clicks the link associated with the uploaded image. In version 5.9.0-rc7 clicking the link associated with the uploaded image doesn't execute malicious code but directly accessing the file will still execute the embedded payload.

The vulnerability CVE-2026-24351: PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page.

The vulnerability CVE-2026-24352: PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session.

The vendor was notified early about these vulnerabilities, but didn't respond with the details of vulnerabilities or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Credits

We thank Arkadiusz Marta for the responsible vulnerability report.