CVE-2026-24351

Source
https://cve.org/CVERecord?id=CVE-2026-24351
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24351.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-24351
Downstream
Published
2026-02-27T11:35:23.141Z
Modified
2026-07-08T08:06:57.248962280Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Stored XSS in PluXml CMS
Details

PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "5.9.0-rc7"
                },
                {
                    "last_affected": "5.9.0-rc7"
                },
                {
                    "introduced": "5.8.21"
                },
                {
                    "last_affected": "5.8.21"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24351.json",
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "CERT-PL"
}
References

Affected packages

Git / github.com/pluxml/pluxml

Affected ranges

Type
GIT
Repo
https://github.com/pluxml/pluxml
Events
Database specific
{
    "source": "CPE_STRING",
    "cpe": [
        "cpe:2.3:a:pluxml:pluxml:5.8.21:*:*:*:*:*:*:*",
        "cpe:2.3:a:pluxml:pluxml:5.9.0:rc7:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "5.8.21"
        },
        {
            "last_affected": "5.8.21"
        },
        {
            "introduced": "5.9.0-rc7"
        },
        {
            "last_affected": "5.9.0-rc7"
        }
    ]
}

Affected versions

5.*
5.8.21
5.9.0-rc7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24351.json"