CVE-2026-24352

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-24352

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24352.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-24352

Downstream

UBUNTU-CVE-2026-24352

Published

2026-02-27T12:16:03.210Z

Modified

2026-03-01T02:23:18.791754Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

References

Affected packages

Git / github.com/pluxml/pluxml

Affected ranges

Type: GIT
Repo: https://github.com/pluxml/pluxml
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

e6655d865765635919da712f4c55c854a4882fce

Affected versions

5.*

5.1.7

5.2

5.3

5.3.1

5.4

5.5

5.6

5.8.9

v5.*

v5.7

v5.8

v5.8-rc

v5.8.1

v5.8.10

v5.8.11

v5.8.12

v5.8.13

v5.8.14

v5.8.15

v5.8.16

v5.8.17

v5.8.18

v5.8.19

v5.8.2

v5.8.20

v5.8.21

v5.8.3

v5.8.4

v5.8.5

v5.8.6

v5.8.7

v5.8.8

v5.8.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24352.json"