Description
PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID
for a victim and later hijack the authenticated session.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Published: 2026-02-27
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Session hijacking via fixation
Action: Patch or Mitigate
AI Analysis

Impact

PluXml CMS allows a user’s session identifier to be set before authentication, and that identifier remains unchanged after login. This flaw, a classic session‑fixation weakness (CWE-384), lets an attacker predefine a session ID, then later hijack the victim’s authenticated session and immediately gain access to the application with the victim’s privileges.

Affected Systems

Versions 5.8.21 and 5.8.9:rc7 of PluXml CMS have been confirmed vulnerable; other releases have not been tested but may also be affected. All sites running these or later unpatched instances are at risk.

Risk and Exploitability

The CVSS score of 4.8 signals medium severity, and the EPSS of less than 1 percent indicates a low probability of widespread exploitation, though targeted attacks remain feasible. The vulnerability is not currently listed in CISA’s KEV catalog. The likely attack vector is inferred from the description: an attacker can set a session ID via cookie or URL parameter before a user logs in; if the CMS does not regenerate the ID thereafter, the attacker’s session remains valid and can be used to hijack the account.

Generated by OpenCVE AI on April 18, 2026 at 17:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PluXml CMS to the latest version that includes a fix for session‑ID regeneration.
  • If a patch is not yet available, enforce a temporary measure that deletes or regenerates any pre‑authentication session cookie immediately after login.
  • Ensure that all session identifiers are random, secret, and not settable by external input, and that the application explicitly invalidates any legacy session ID before establishing an authenticated session.

Generated by OpenCVE AI on April 18, 2026 at 17:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Pluxml
Pluxml pluxml
CPEs cpe:2.3:a:pluxml:pluxml:5.8.21:*:*:*:*:*:*:*
cpe:2.3:a:pluxml:pluxml:5.8.9:rc7:*:*:*:*:*:*
Vendors & Products Pluxml
Pluxml pluxml
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 27 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
Description PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Title Session Fixation in PluXml CMS
Weaknesses CWE-384
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Pluxml Pluxml
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-02-27T15:05:15.633Z

Reserved: 2026-01-22T14:08:35.743Z

Link: CVE-2026-24352

cve-icon Vulnrichment

Updated: 2026-02-27T15:05:09.400Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T12:16:03.210

Modified: 2026-02-27T18:36:00.687

Link: CVE-2026-24352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:45:06Z

Weaknesses