CVE-2026-24352

PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://cert.pl/posts/2026/03/CVE-2026-24350	Broken Link
https://pluxml.org/	Product

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:pluxml:pluxml:5.8.9:rc7::::::
	cpe:2.3:a:pluxml:pluxml:5.8.21:::::::*

History

27 Feb 2026, 18:36

Type	Values Removed	Values Added
References	~~() https://cert.pl/posts/2026/03/CVE-2026-24350 -~~	() https://cert.pl/posts/2026/03/CVE-2026-24350 - Broken Link
References	~~() https://pluxml.org/ -~~	() https://pluxml.org/ - Product
CPE		cpe:2.3:a:pluxml:pluxml:5.8.21:::::::* cpe:2.3:a:pluxml:pluxml:5.8.9:rc7::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Pluxml pluxml Pluxml

27 Feb 2026, 12:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-27 12:16

Updated : 2026-02-27 18:36

NVD link : CVE-2026-24352

Mitre link : CVE-2026-24352

CVE.ORG link : CVE-2026-24352

JSON object : View

Products Affected

pluxml

pluxml

CWE

CWE-384

Session Fixation

{"id": "CVE-2026-24352", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.8, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-27T12:16:03.210", "references": [{"url": "https://cert.pl/posts/2026/03/CVE-2026-24350", "tags": ["Broken Link"], "source": "cvd@cert.pl"}, {"url": "https://pluxml.org/", "tags": ["Product"], "source": "cvd@cert.pl"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-384"}]}], "descriptions": [{"lang": "en", "value": "PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID\nfor a victim and later hijack the authenticated session.\n\nThe vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable."}], "lastModified": "2026-02-27T18:36:00.687", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pluxml:pluxml:5.8.9:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1F351A35-C607-4452-82DB-8F2548F5640A"}, {"criteria": "cpe:2.3:a:pluxml:pluxml:5.8.21:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7E8A60BA-2CCD-4CA1-85EB-C576B06084AE"}], "operator": "OR"}]}], "sourceIdentifier": "cvd@cert.pl"}