Home / Vulnerability Intelligence / CVE-2026-24352

CVE-2026-24352 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: February 27, 2026

PluXml CMS - Authentication Bypass

Published: February 27, 2026Updated: February 27, 2026Remote Exploitable

Overview

PluXml CMS 5.8.21 and 5.9.0-rc7 contain a session fixation vulnerability caused by allowing session ID to be set before authentication and retained after login, letting attackers hijack authenticated sessions, exploit requires victim to authenticate with fixed session ID.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 4.5%(Probability of exploitation in next 30 days)

Impact

Attackers can hijack authenticated user sessions, gaining unauthorized access to victim accounts.

Mitigation

Update to the latest version where session fixation is fixed.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 28, 2026

🔴 CVE-2026-24352 - Critical (9.8) PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24352/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-24352
Severity: Critical
CVSS Score: 9.8
Type: broken_authentication
Status: confirmed
EPSS: 4.5%
Social Posts: 1

CWE

CWE-384

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

4.5%Probability of exploitation in the next 30 days