{"id":"CVE-2026-24351","details":"PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page.\n\nThe vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.","modified":"2026-04-10T05:39:24.018176Z","published":"2026-02-27T12:16:03.047Z","references":[{"type":"WEB","url":"https://cert.pl/posts/2026/03/CVE-2026-24350"},{"type":"WEB","url":"https://pluxml.org/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pluxml/pluxml","events":[{"introduced":"0"},{"last_affected":"e6655d865765635919da712f4c55c854a4882fce"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"5.8.21"}]}}],"versions":["5.4","5.5","5.6","5.8.9","v5.7","v5.8","v5.8.1","v5.8.12","v5.8.13","v5.8.14","v5.8.15","v5.8.16","v5.8.17","v5.8.18","v5.8.19","v5.8.2","v5.8.20","v5.8.21","v5.8.3","v5.8.5","v5.8.7","v5.8.8","v5.8.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24351.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"5.8.9-rc7"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}