Description
Cross Site Scripting vulnerability in MaxSite CMS v.109.2 allows a remote attacker to obtain sensitive information via the Backend page file upload endpoint used by admin_page
Published: 2026-06-03
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site scripting flaw exists in the backend file upload endpoint of MaxSite CMS version 109.2. An attacker who can reach this endpoint can embed malicious script in the uploaded file. When a privileged user views or processes the file, the script runs in that user’s browser, permitting theft of account cookies, session tokens, or other confidential information. The flaw enables an attacker to compromise the confidentiality of administrative accounts and any data the user can access.

Affected Systems

Systems running MaxSite CMS 109.2 are vulnerable. No other versions are specified as affected, but the lack of a vendor patch suggests that only this exact build is known to be impacted.

Risk and Exploitability

Based on the description, it is inferred that the vulnerability is exploitable from any network location that can reach the CMS backend, so remote attackers can launch the exploit without local access. The CVSS score of 4.1 and an EPSS score of <1% indicate a moderate risk and low likelihood of exploitation. The issue is not listed in CISA’s KEV catalog, but the presence of a functional XSS vector on an administrative interface indicates a risk to sensitive data. A successful payload could bypass user authorization by operating within the context of the stored session of an authenticated admin user.

Generated by OpenCVE AI on June 5, 2026 at 05:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest MaxSite CMS update that addresses the XSS flaw.
  • Limit access to the file upload endpoint to trusted IP ranges or enforce strict user‑role checks before allowing uploads.
  • Validate and sanitize all file contents and metadata on the server side to prevent injected scripts from executing.

Generated by OpenCVE AI on June 5, 2026 at 05:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in MaxSite CMS 109.2 Backend File Upload

Fri, 05 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Maxsite
Maxsite maxsite Cms
Vendors & Products Maxsite
Maxsite maxsite Cms

Wed, 03 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description Cross Site Scripting vulnerability in MaxSite CMS v.109.2 allows a remote attacker to obtain sensitive information via the Backend page file upload endpoint used by admin_page
References

Subscriptions

Maxsite Maxsite Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-05T02:05:36.487Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37700

cve-icon Vulnrichment

Updated: 2026-06-05T02:05:32.983Z

cve-icon NVD

Status : Deferred

Published: 2026-06-03T20:16:20.070

Modified: 2026-06-05T02:17:13.623

Link: CVE-2026-37700

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T05:30:32Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')