Description
PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Published: 2026-02-27
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS
Action: Assess
AI Analysis

Impact

PluXml CMS contains a stored cross‑site scripting flaw in the static pages editing workflow. Content editors can embed arbitrary HTML or JavaScript that is saved in the database and served unfiltered to any visitor. Because the payload is rendered as part of the page, a successful exploit enables an attacker with editing rights to execute scripts in the context of any user who views the contaminated page, potentially allowing credential theft, defacement, or malicious redirects.

Affected Systems

The vulnerability affects the PluXml CMS platform, specifically the versions that have been confirmed to be vulnerable: 5.8.21 and 5.9.0‑rc7. While other releases have not been tested, they may also contain the flaw. The affected component is the static pages editing interface, which is part of the core application supplied by PluXml.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate impact, and an EPSS below 1% suggests low exploitation probability so far. The vulnerability is not currently catalogued in CISA's KEV list. Attackers need at least editing privileges to inject the payload; if such privileges are available – either through compromised accounts or mis‑configured access – the exploit chain is straightforward: the attacker submits malicious content, which the CMS stores and later serves to visitors. No additional network or local privilege escalation is required beyond the editing role.

Generated by OpenCVE AI on April 17, 2026 at 14:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the currently installed CMS version and determine whether it equals 5.8.21 or 5.9.0‑rc7.
  • If running a vulnerable version, upgrade to a newer release that does not contain the flaw or apply any vendor patch once it becomes available.
  • Restrict who can edit static pages to a minimal set of trusted users and enforce strict input sanitization or output encoding to prevent malicious script injection.

Generated by OpenCVE AI on April 17, 2026 at 14:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Pluxml
Pluxml pluxml
CPEs cpe:2.3:a:pluxml:pluxml:5.8.21:*:*:*:*:*:*:*
cpe:2.3:a:pluxml:pluxml:5.8.9:rc7:*:*:*:*:*:*
Vendors & Products Pluxml
Pluxml pluxml
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 27 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
Description PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Title Stored XSS in PluXml CMS
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Pluxml Pluxml
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-02-27T15:14:57.021Z

Reserved: 2026-01-22T14:08:35.743Z

Link: CVE-2026-24351

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T12:16:03.047

Modified: 2026-02-27T18:34:15.210

Link: CVE-2026-24351

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:15:21Z

Weaknesses