PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-16205 pluck-cms CVE debrief

A weakness has been identified in Pluck CMS up to 4.7.21, affecting the function htmlspecialchars_decode of the file data/modules/albums/albums.admin.php of the component Albums Module. This vulnerability can lead to cross-site scripting. The CVE record was published on 2026-07-19T03:16:42.250Z and has not been modified since then. Users of Pluck CMS up to version 4.7.21 should be aware of this weakness and take necessary precautions. The vulnerability has a CVSS score of 1.9 and is considered low severity.

Vendor
pluck-cms
Product
Pluck CMS
CVSS
LOW 1.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-19
Original CVE updated
2026-07-19
Advisory published
2026-07-19
Advisory updated
2026-07-19

Who should care

Users of Pluck CMS up to version 4.7.21 should be aware of this weakness and take necessary precautions. This includes reviewing the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance. Affected operator, platform, vulnerability-management, and security-team impact should be considered.

Technical summary

A weakness has been identified in Pluck CMS up to 4.7.21. This vulnerability affects the function htmlspecialchars_decode of the file data/modules/albums/albums.admin.php of the component Albums Module. Executing a manipulation of the argument Info can lead to cross-site scripting. It is possible to launch the attack remotely. The vulnerability has a CVSS score of 1.9 and is considered low severity.

Defensive priority

Low priority due to CVSS score of 1.9 and limited information about the vulnerability.

Recommended defensive actions

  • Inventory affected systems and review for compensating controls
  • Monitor for potential attacks
  • Consider upgrading to a version of Pluck CMS that is not vulnerable
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The project was informed of the problem early through an issue report but has not responded yet. The exploit has been made available to the public and could be used for attacks. Limited information is available about the vulnerability, and defenders should verify the affected scope and severity. The CVE record was published on 2026-07-19T03:16:42.250Z and has not been modified since then. The vulnerability affects Pluck CMS up to version 4.7.21.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-19T03:16:42.250Z and has not been modified since then.