CVE-2026-31205 PUBLISHED

Assigner: mitre
Reserved: 09.03.2026 Published: 04.05.2026 Updated: 04.05.2026

Cross Site Scripting vulnerability in Pluck CMS before v.4.7.21dev allows a remote attacker to escalate privileges via the editpage.php and the sanitizePageContent function

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AC:H/AV:N/A:N/C:H/I:H/PR:H/S:U/UI:R
CVSS Score: 5.7

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	n/a
Product	n/a
Versions	Version n/a is affected

References

https://github.com/pluck-cms/pluck/blob/main/data/inc/functions.all.php#L207
https://github.com/pluck-cms/pluck/blob/main/data/inc/editpage.php
https://github.com/pluck-cms/pluck/issues/141
https://medium.com/@nakah_/pluck-cms-stored-xss-in-page-editor-cve-2026-31205-3b0526743e1d?postPublishedType=initial

Problem Types

n/a text