CVE-2026-24352

9.8 CRITICAL

PluXml CMS allows a user's session identifier to be set before authentication

Published: 2026-02-27 · Last updated: 2026-05-19

Severity and scoring

CVSS: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-384

Affected products

Vendor	Product
pluxml	pluxml

Description

PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-24352
[Other]https://cert.pl/posts/2026/03/CVE-2026-24350
[Other]https://pluxml.org/

Related CVEs

Same vendor

CVE-2026-24351 — PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality (5.4 MEDIUM)
CVE-2026-24350 — PluXml CMS is vulnerable to Stored XSS in file uploading functionality (5.4 MEDIUM)

Same CWE

CVE-2009-10007 — Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks (9.1 CRITICAL)
CVE-2026-41839 — A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalati... (4.2 MEDIUM)
CVE-2026-11335 — A flaw has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500e... (6.3 MEDIUM)
CVE-2025-67446 — Improper Authentication (Authentication Bypass) exists in Neterbit NW-431F Router 20241014-IR03 and before (9.8 CRITICAL)
CVE-2026-33384 — QuickCMS allows a user's session identifier to be set before authentication