CVE-2026-11434

LOW

FluentCMS Blocks Plugin blocks cross site scripting

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-11434. PoCs published by KarinaGante.

AI-analyzed exploit summary This repository provides a detailed technical writeup for CVE-2026-11434, a stored XSS vulnerability in FluentCMS's `/admin/blocks` endpoint via the Blocks Plugin. It includes a step-by-step PoC, payload, and impact analysis.

Description

A weakness has been identified in FluentCMS 0.0.5. The impacted element is an unknown function of the file /admin/blocks of the component Blocks Plugin. This manipulation causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Exploits (1)

github WRITEUP

by KarinaGante · htmlpoc

https://github.com/KarinaGante/KG-Sec/tree/main/CVEs/FluentCMS/CVE-2026-11434.md

View Code ZIP pw:eip

This repository provides a detailed technical writeup for CVE-2026-11434, a stored XSS vulnerability in FluentCMS's `/admin/blocks` endpoint via the Blocks Plugin. It includes a step-by-step PoC, payload, and impact analysis.

Classification

Writeup 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: FluentCMS

Auth required

Prerequisites: Access to the `/admin/blocks` endpoint · Ability to add a new block with malicious content

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Jun 10, 2026 Full analysis →

References (7)

Core 7

Core References

Exploit related

https://hackmd.io/@noka/BkHdIMFAWx

Vdb Entry vdb-entry

VDB-369014 | FluentCMS Blocks Plugin blocks cross site scripting

https://vuldb.com/vuln/369014

Signature, Permissions Required signature permissions-required

VDB-369014 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/369014/cti

Third Party Advisory third-party-advisory

CVE-2026-11434 | CVE Analysis and Report

https://vuldb.com/cve/CVE-2026-11434

Third Party Advisory third-party-advisory

Submit #821094 | FluentCMS 0.0.5 Cross Site Scripting

https://vuldb.com/submit/821094

Exploit exploit

https://karinagante.github.io/cve-2026-11434/#proof-of-concept-poc

Scores

CVSS v3 2.4

EPSS 0.0027

EPSS Percentile 19.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79 CWE-94

Status published

Products (1)

None/FluentCMS 0.0.5

Published Jun 06, 2026

Tracked Since Jun 06, 2026