Featured image of post CVE-2026-11434

CVE-2026-11434

Cross-Site Scripting (XSS) Stored

CVE-2026-11434: Cross-Site Scripting (XSS) Stored in in endpoint /admin/blocks via Blocks Plugin

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2026-11434

Summary

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/blocks endpoint of the FluentCMS application. This vulnerability allows attackers to inject malicious scripts via Blocks Plugin. The injected scripts are stored on the server and executed automatically whenever the main page is accessed by users, posing a significant security risk.

Details

Vulnerable Endpoint: /admin/blocks

Parameter: Blocks Plugin

PoC

Payload

1
"><img src=x onerror=alert('CVE-Hunters')>

Steps to Reproduce:

Access vulnerable endpoint and click on "Add Block" to setup a new entry. Insert the payload in "Content" field, type anything in another fields and click on "Submit". Access the preview pages by "/?pagePreview=1", drag and drop the Block Plugin in any place at the page and select the Block that was set up before. Access the Main Page and the script will execute automatically:

Impact

  • Session hijacking: Stealing cookies or authentication tokens to impersonate users.
  • Credential theft: Harvesting usernames and passwords using malicious scripts.
  • Malware delivery: Distributing unwanted or harmful code to victims.
  • Privilege escalation: Compromising administrative users through persistent scripts.
  • Data manipulation or defacement: Changing or disrupting site content.
  • Reputation damage: Eroding trust among site users and administrators.

Reference

https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/FluentCMS/CVE-2026-11434.md

Finder

Karina Gante

By: CVE-Hunters

Built with Hugo
Theme Stack designed by Jimmy