CVE-2026-24352

Publication date 27 February 2026

Last updated 4 March 2026

Ubuntu priority

Description

PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
pluxml	25.10 questing	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Needs evaluation
	20.04 LTS focal	Needs evaluation
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2026-24352
https://cert.pl/posts/2026/03/CVE-2026-24350
https://pluxml.org/