CVE-2026-24352CRITICAL 9.8EPSS p26.9%

CVE-2026-24352CVE-2026-24352

Description

PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.35% probability of exploitation · percentile 26.9% · 2026-06-19T12:03:05Z
Published2026-02-27
Last modified2026-05-19

Underlying weaknesses· 1

CWE-384

References

  1. https://cert.pl/posts/2026/03/CVE-2026-24350
  2. https://pluxml.org/

1

TypeTargetConfidenceTier
WeaknessSession Fixationcwe-3840%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-25101
CVE
CVE-2025-54761
CVE
CVE-2025-65840
CVE
CVE-2026-23796
CVE
CVE-2026-46401
CVE
CVE-2025-45953
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.