CVE-2026-24351 MEDIUM

CVE-2026-24351: Stored XSS in PluXml CMS

Vendor Pluxml

Product PluXml CMS

Weakness CWE-79 · XSS

Published February 27, 2026

Last update February 27, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Key dates

02Disclosure timeline

February 27, 2026 CVE published

February 27, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-24351 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

Identifiers

CVE CVE-2026-24351

CWE CWE-79

CVSS 5.1 / MEDIUM

Affected versions

Vendor Pluxml

Product PluXml CMS

Affected 5.9.0-rc7

Vendor Pluxml

Product PluXml CMS

Affected 5.8.21

CVE-2026-24351: Stored XSS in PluXml CMS

01Description

02Disclosure timeline

03References

04Related CVE