CVE-2026-24352
Published: 27 February 2026
Summary
CVE-2026-24352 is a critical-severity Session Fixation (CWE-384) vulnerability in Pluxml Pluxml. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 mandates protection of communications session authenticity, directly preventing session fixation by ensuring sessions cannot be hijacked through predetermined identifiers.
IA-5 requires secure management of authenticators including session identifiers, such as regenerating them post-authentication to block fixation attacks.
AC-10 limits concurrent sessions per account, mitigating session hijacking by preventing attacker use of a fixed session ID simultaneously with the victim.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Session fixation in public-facing CMS directly enables remote exploitation (T1190) leading to authenticated session hijacking via known/fixed web session identifiers (T1185, T1550.004).
NVD Description
PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the…
more
authenticated session. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Deeper analysisAI
CVE-2026-24352 is a session fixation vulnerability in PluXml CMS, where a user's session identifier can be set prior to authentication, and this same session ID persists after successful login. This allows an attacker to predetermine and fix a session ID for a target user. The vulnerability was confirmed in versions 5.8.21 and 5.9.0-rc7, though other versions were not tested and may also be affected, as the vendor did not provide details on the vulnerable range despite early notification.
Unauthenticated attackers can exploit this remotely with low complexity and no user interaction required, as indicated by the CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By forcing a victim to use a predetermined session ID—such as through a crafted link or phishing—they can later hijack the victim's authenticated session, gaining full access to the account's privileges and potentially compromising confidentiality, integrity, and availability.
Advisories note that the vendor has not responded with vulnerability details, affected versions, or patch information. Relevant references include the CERT.PL advisory at https://cert.pl/posts/2026/03/CVE-2026-24350 and the PluXml website at https://pluxml.org/, but no specific mitigations or patches are detailed. Practitioners should assume broad vulnerability across PluXml deployments and consider session management best practices, such as regenerating session IDs post-authentication, until vendor guidance is available.
Details
- CWE(s)