PatchSiren cyber security CVE debrief
CVE-2026-16205 pluck-cms CVE debrief
A weakness has been identified in Pluck CMS up to 4.7.21, affecting the function htmlspecialchars_decode of the file data/modules/albums/albums.admin.php of the component Albums Module. This vulnerability can lead to cross-site scripting. The CVE record was published on 2026-07-19T03:16:42.250Z and has not been modified since then. Users of Pluck CMS up to version 4.7.21 should be aware of this weakness and take necessary precautions. The vulnerability has a CVSS score of 1.9 and is considered low severity.
- Vendor
- pluck-cms
- Product
- Pluck CMS
- CVSS
- LOW 1.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-19
- Original CVE updated
- 2026-07-19
- Advisory published
- 2026-07-19
- Advisory updated
- 2026-07-19
Who should care
Users of Pluck CMS up to version 4.7.21 should be aware of this weakness and take necessary precautions. This includes reviewing the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance. Affected operator, platform, vulnerability-management, and security-team impact should be considered.
Technical summary
A weakness has been identified in Pluck CMS up to 4.7.21. This vulnerability affects the function htmlspecialchars_decode of the file data/modules/albums/albums.admin.php of the component Albums Module. Executing a manipulation of the argument Info can lead to cross-site scripting. It is possible to launch the attack remotely. The vulnerability has a CVSS score of 1.9 and is considered low severity.
Defensive priority
Low priority due to CVSS score of 1.9 and limited information about the vulnerability.
Recommended defensive actions
- Inventory affected systems and review for compensating controls
- Monitor for potential attacks
- Consider upgrading to a version of Pluck CMS that is not vulnerable
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The project was informed of the problem early through an issue report but has not responded yet. The exploit has been made available to the public and could be used for attacks. Limited information is available about the vulnerability, and defenders should verify the affected scope and severity. The CVE record was published on 2026-07-19T03:16:42.250Z and has not been modified since then. The vulnerability affects Pluck CMS up to version 4.7.21.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-19T03:16:42.250Z and has not been modified since then.