Description
A weakness has been identified in MaxSite CMS up to 109.3. Affected by this vulnerability is an unknown functionality of the file /admin/plugin_antispam of the component Antispam Plugin. Executing a manipulation of the argument f_logging_file can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 109.4 addresses this issue. This patch is called 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. Upgrading the affected component is advised. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display."
Published: 2026-04-26
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (stored XSS)
Action: Upgrade Immediately
AI Analysis

Impact

The vulnerability resides in the Antispam Plugin of MaxSite CMS, where manipulation of the f_logging_file argument allows an attacker to inject malicious script code that is then rendered in the user interface. This stored cross‑site scripting flaw means that a remote user can cause arbitrary script execution in the browsers of any user who views the affected page, enabling phishing, credential theft, or other malicious actions. The weakness is classified under CWE‑79 for input data not validated for HTML context and CWE‑94 for code injection potential.

Affected Systems

All installations of MaxSite CMS containing the Antispam Plugin with a component version of 109.3 or earlier are affected. The vendor identifies the fix in release 109.4, so any version lower than 109.4, including 109.0 through 109.3, must be upgraded. The plugin resides at /admin/plugin_antispam and is part of the main CMS core. Systems running newer releases beyond 109.4 are not vulnerable.

Risk and Exploitability

The CVSS base score is 4.8, reflecting a moderate impact that primarily threatens confidentiality and integrity through client‑side script execution. The EPSS score of less than 1% indicates a low probability of exploitation in the wild; however, public proof‑of‑concept code exists, so an attacker could still launch an attack if no patch is applied. The vulnerability is not listed in the CISA KEV catalog, but the publicly available exploit warrants prompt remediation.

Generated by OpenCVE AI on April 28, 2026 at 05:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch by upgrading MaxSite CMS to version 109.4 or later.
  • If upgrading is delayed, disable the Antispam Plugin or remove the f_logging_file entry from the administration interface to stop unescaped data from being displayed.
  • For custom builds, enforce redirection of any user‑supplied f_logging_file content through htmlspecialchars() before storing or rendering it, thereby preventing XSS injection.

Generated by OpenCVE AI on April 28, 2026 at 05:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Maxsite
Maxsite cms
Vendors & Products Maxsite
Maxsite cms

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 26 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in MaxSite CMS up to 109.3. Affected by this vulnerability is an unknown functionality of the file /admin/plugin_antispam of the component Antispam Plugin. Executing a manipulation of the argument f_logging_file can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 109.4 addresses this issue. This patch is called 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. Upgrading the affected component is advised. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display."
Title MaxSite CMS Antispam Plugin plugin_antispam cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Maxsite Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T13:50:27.566Z

Reserved: 2026-04-25T10:13:19.657Z

Link: CVE-2026-7011

cve-icon Vulnrichment

Updated: 2026-04-27T13:50:17.269Z

cve-icon NVD

Status : Deferred

Published: 2026-04-26T01:15:59.590

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7011

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T05:30:23Z

Weaknesses