CVE-2026-24350 is a stored cross-site scripting (XSS) vulnerability affecting PluXml CMS, specifically versions 5.8.21 and 5.9.0-rc7. The vulnerability is rooted in improper neutralization of input during web page generation (CWE-79), allowing an authenticated attacker to upload an SVG file embedded with malicious JavaScript payloads. When a victim accesses the uploaded SVG file directly, the embedded script executes in the victim's browser context, potentially leading to session hijacking, defacement, or other malicious actions. In version 5.9.0-rc7, clicking the link associated with the uploaded image does not trigger the payload, but direct file access still does. The vendor was notified early but has not disclosed a patch or full vulnerable version range, and other versions may also be affected. The vulnerability requires an attacker to have authenticated access to the CMS to upload the malicious SVG, and some user interaction is needed for exploitation. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond authentication, and user interaction required. No known exploits are currently in the wild. The lack of vendor response and patch availability increases the risk for organizations relying on these versions of PluXml CMS. This vulnerability highlights the risks of insufficient input validation and sanitization in file upload features, especially for SVG files which can contain executable scripts.

The primary impact of this vulnerability is the potential for stored XSS attacks, which can compromise the confidentiality and integrity of user sessions and data. Attackers could steal authentication cookies, perform actions on behalf of victims, deface websites, or deliver malware. Since exploitation requires authenticated access, the threat is more targeted, typically from insiders or compromised accounts. However, the ability to execute arbitrary JavaScript in users’ browsers can lead to broader compromise if administrative or privileged users are tricked into accessing the malicious SVG. This can result in unauthorized access, data leakage, or further system compromise. The vulnerability affects organizations using PluXml CMS versions 5.8.21 and 5.9.0-rc7, which may include small to medium websites relying on this CMS. The absence of a patch and incomplete vendor communication prolongs exposure and complicates mitigation. Overall, the impact is medium severity but could escalate if combined with other vulnerabilities or social engineering.

Organizations should immediately restrict or disable SVG file uploads in PluXml CMS until a vendor patch is available. Implement strict server-side validation and sanitization of uploaded files, ensuring SVGs do not contain embedded scripts or potentially dangerous content. Use Content Security Policy (CSP) headers to limit script execution from untrusted sources. Monitor and audit user uploads and access logs for suspicious activity. Limit authenticated user permissions to reduce the risk of malicious uploads. Educate users to avoid directly accessing uploaded SVG files from untrusted sources. Consider deploying web application firewalls (WAFs) with rules to detect and block malicious SVG payloads. Regularly update PluXml CMS and subscribe to vendor advisories for patches. If possible, isolate the CMS environment to minimize impact from potential exploitation.