PluXml CMS Stored Cross-Site Scripting Vulnerability in File Uploading Functionality

Vulnerability

A stored cross-site scripting vulnerability has been identified in PluXml CMS versions 5.8.21 and 5.9.0-rc7. The issue arises in the file uploading feature, where an authenticated attacker can upload an SVG file embedded with a malicious payload. This payload is executed when a victim clicks the link to the uploaded image. In version 5.9.0-rc7, the malicious code does not execute upon clicking the image link, but can still be triggered by directly accessing the file. While versions 5.8.21 and 5.9.0-rc7 have been confirmed vulnerable, other versions may also be affected.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files containing malicious scripts are executed in the context of the user viewing the file.

Added: Feb 27, 2026, 12:19 PM

Updated: Feb 27, 2026, 2:12 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

5.0

remediation

0.0

relevance

3.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

5.0

remediation

0.0

relevance

3.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PluXml CMS Stored Cross-Site Scripting Vulnerability in File Uploading Functionality

Vulnerability

Impact

Affected Products

PluXml

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating