Home / Vulnerability Intelligence / CVE-2026-24352

CVE-2026-24352 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: February 27, 2026

PluXml CMS - Authentication Bypass

Published: February 27, 2026Updated: February 27, 2026Remote Exploitable

Overview

PluXml CMS 5.8.21 and 5.9.0-rc7 contain a session fixation vulnerability caused by allowing session ID to be set before authentication and retained after login, letting attackers hijack authenticated sessions, exploit requires victim to authenticate with fixed session ID.

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Attackers can hijack authenticated user sessions, gaining unauthorized access to victim accounts.

Mitigation

Update to the latest version where session fixation is fixed.

References

https://cert.pl/posts/2026/03/CVE-2026-24350
https://pluxml.org/

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-24352
Severity: Critical
CVSS Score: 9.8
Type: broken_authentication
Status: confirmed

CWE

CWE-384

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H