CVE-2026-24352
Session Fixation Vulnerability in PluXml CMS Allows Hijacking
Publication date: 2026-02-27
Last updated on: 2026-05-19
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pluxml | pluxml | 5.8.21 |
| pluxml | pluxml | 5.9.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-384 | Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in PluXml CMS allows an attacker to set a user's session identifier before the user authenticates. Because the session ID remains the same after authentication, the attacker can fix a session ID for a victim and later hijack the authenticated session.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can hijack a victim's authenticated session by fixing the session ID before the victim logs in. This can lead to unauthorized access to the victim's account and potentially sensitive information or actions performed under that account.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know