6/6/2026/3 minutes to read/Tags: CVEs, XSS, FluentCMS
Introduction
While exploring FluentCMS system, I discovered a stored XSS vulnerability via Blocks Plugin. The Plugin, allows the injection of malicious scripts without any sanitization.
These scripts are stored in the database and executed automatically when the corresponding page is accessed.
In this post, I’ll walk you through the technical details, how the vulnerability was exploited (PoC), screenshots with real evidence, and the security risks it represents in real-world environments.
What is CVE-2026-11434?
The CVE-2026-11434 is a Stored Cross-Site Scripting (XSS) vulnerability found in the FluentCMS application via Blocks Plugin.
The Plugin fails to properly validate user inputs, allowing attackers to persist JavaScript payloads on the server. The malicious code is executed automatically when the main page is loaded, impacting any user who visits it.
Technical Details
» Vulnerable Endpoint:/admin/blocks
» Affected Parameter:Blocks Plugin
» Trigger Page:Main Page
» Payload Used:
"><imgsrc=xonerror=alert('CVE-Hunters')>
Proof of Concept (PoC)
To reproduce the vulnerability:
» Go to:/admin/blocks;
» Click on the:“Add Block” to setup a new entry:
» Insert the payload in the:“Content” field and type any value in another fields;
» Then, click on:“Submit”:
» Access page preview by this endpoint:/?pagePreview=1;
» Drag and drop the:Block Plugin in any place at the page:
» Select the Block that was set up before:
» Access the Main Page and the script will execute automatically:
You can access the full technical report with all step-by-step evidence here:
