Cyber Resilience

CVE-2026-24352

Medium

Published: 27 February 2026

Published
27 February 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score v4 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0035 26.9th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-24352 is a medium-severity Session Fixation (CWE-384) vulnerability in Pluxml Pluxml. Its CVSS base score is 4.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2026-24352 is a session fixation vulnerability in PluXml CMS, where a user's session identifier can be set prior to authentication, and this same session ID persists after successful login. This allows an attacker to predetermine and fix a session ID for a target user. The vulnerability was confirmed in versions 5.8.21 and 5.9.0-rc7, though other versions were not tested and may also be affected, as the vendor did not provide details on the vulnerable range despite early notification.

Unauthenticated attackers can exploit this remotely with low complexity and no user interaction required, as indicated by the CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By forcing a victim to use a predetermined session ID—such as through a crafted link or phishing—they can later hijack the victim's authenticated session, gaining full access to the account's privileges and potentially compromising confidentiality, integrity, and availability.

Advisories note that the vendor has not responded with vulnerability details, affected versions, or patch information. Relevant references include the CERT.PL advisory at https://cert.pl/posts/2026/03/CVE-2026-24350 and the PluXml website at https://pluxml.org/, but no specific mitigations or patches are detailed. Practitioners should assume broad vulnerability across PluXml deployments and consider session management best practices, such as regenerating session IDs post-authentication, until vendor guidance is available.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the…

more

authenticated session. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
Why these techniques?

Session fixation in public-facing CMS directly enables remote exploitation (T1190) leading to authenticated session hijacking via known/fixed web session identifiers (T1185, T1550.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-15438Same product: Pluxml Pluxml
CVE-2025-27661Shared CWE-384
CVE-2026-31940Shared CWE-384
CVE-2025-7015Shared CWE-384
CVE-2026-40010Shared CWE-384
CVE-2022-40916Shared CWE-384
CVE-2026-25101Shared CWE-384
CVE-2026-2177Shared CWE-384
CVE-2024-56529Shared CWE-384
CVE-2025-7014Shared CWE-384

Affected Assets

pluxml
pluxml
5.8.21, 5.9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 mandates protection of communications session authenticity, directly preventing session fixation by ensuring sessions cannot be hijacked through predetermined identifiers.

prevent

IA-5 requires secure management of authenticators including session identifiers, such as regenerating them post-authentication to block fixation attacks.

prevent

AC-10 limits concurrent sessions per account, mitigating session hijacking by preventing attacker use of a fixed session ID simultaneously with the victim.

References