These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
PluXml CMS contains a session fixation vulnerability (CWE-384) where a user's session identifier can be set prior to authentication and persists unchanged after successful authentication. This allows an attacker to predetermine a session ID for a victim and subsequently hijack the authenticated session. The vulnerability was reported to the vendor without response regarding vulnerability details or affect [truncated]
A stored cross-site scripting (XSS) vulnerability in PluXml CMS allows authenticated users with editing privileges to inject arbitrary HTML and JavaScript into static pages. The malicious content executes when visitors access the compromised page. The vulnerability was disclosed to the vendor without response regarding affected version ranges. Testing confirmed exploitation in versions 5.8.21 and 5.9.0-rc [truncated]
CVE-2026-24350 describes a stored cross-site scripting issue in PluXml CMS file upload handling. An authenticated attacker can upload an SVG containing malicious script, and the payload may execute when a victim opens the uploaded content. The supplied report also notes a behavior difference in 5.9.0-rc7: clicking the link associated with the uploaded image did not execute code, but direct access to the f [truncated]