{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-08T22:33:53.820","vulnerabilities":[{"cve":{"id":"CVE-2026-24350","sourceIdentifier":"cvd@cert.pl","published":"2026-02-27T12:16:02.867","lastModified":"2026-02-27T18:33:58.880","vulnStatus":"Undergoing Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"PluXml CMS is vulnerable to Stored XSS in file uploading functionality. An authenticated attacker can upload an SVG file containing a malicious payload, which will be executed when a victim clicks the link associated with the uploaded image.\nIn version 5.9.0-rc7 clicking the link associated with the uploaded image doesn't execute malicious code but directly accessing the file will still execute the embedded payload.\n\nThe vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable."},{"lang":"es","value":"PluXml CMS es vulnerable a XSS Almacenado en la funcionalidad de carga de archivos. Un atacante autenticado puede cargar un archivo SVG que contiene una carga útil maliciosa, que se ejecutará cuando una víctima haga clic en el enlace asociado con la imagen cargada.\nEn la versión 5.9.0-rc7, hacer clic en el enlace asociado con la imagen cargada no ejecuta código malicioso, pero acceder directamente al archivo seguirá ejecutando la carga útil incrustada.\n\nSe notificó al proveedor con antelación sobre esta vulnerabilidad, pero no respondió dando los detalles de la vulnerabilidad ni del rango de versiones vulnerables. Solo se probaron las versiones 5.8.21 y 5.9.0-rc7 y se confirmó que eran vulnerables; no se probaron otras versiones por lo que también podrían ser vulnerables."}],"metrics":{"cvssMetricV40":[{"source":"cvd@cert.pl","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":2.7}]},"weaknesses":[{"source":"cvd@cert.pl","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:pluxml:pluxml:5.8.9:rc7:*:*:*:*:*:*","matchCriteriaId":"1F351A35-C607-4452-82DB-8F2548F5640A"},{"vulnerable":true,"criteria":"cpe:2.3:a:pluxml:pluxml:5.8.21:*:*:*:*:*:*:*","matchCriteriaId":"7E8A60BA-2CCD-4CA1-85EB-C576B06084AE"}]}]}],"references":[{"url":"https://cert.pl/posts/2026/03/CVE-2026-24350","source":"cvd@cert.pl","tags":["Broken Link"]},{"url":"https://pluxml.org/","source":"cvd@cert.pl","tags":["Product"]}]}}]}