A vulnerability was found in Pluck CMS up to 4.7.21 and classified as problematic. This vulnerability affects the function
htmlspecialchars_decode of the file data/modules/albums/albums.admin.php of the component Albums Module. Executing a manipulation of the argument Info can lead to cross site scripting.
This vulnerability is registered as CVE-2026-16205. It is possible to launch the attack remotely. Furthermore, an exploit is available.
The project was informed of the problem early through an issue report but has not responded yet.