CVE-2026-24350

Name of the Vulnerable Software and Affected Versions PluXml CMS versions 5.8.21 and 5.9.0-rc7

Description PluXml CMS contains a Stored Cross-Site Scripting (XSS) issue in the file uploading functionality. An authenticated attacker can upload a malicious SVG file. Clicking the link associated with the uploaded image, or directly accessing the file, can execute the embedded payload. The vendor was notified but did not provide details about the vulnerability or vulnerable version range.

Recommendations Update to a newer version of PluXml CMS that addresses this issue. Avoid uploading SVG files from untrusted sources. As a temporary workaround, consider restricting file uploads to only trusted file types.