Description
A vulnerability was detected in MaxSite CMS up to 109.3. This affects an unknown part of the component Redirect Plugin. The manipulation of the argument f_all/f_all404 results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used. Upgrading to version 109.4 is able to mitigate this issue. The patch is identified as 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. You should upgrade the affected component. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display."
Published: 2026-04-26
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The vulnerability is an uncontrolled input parameter in the f_all/f_all404 arguments of the Redirect Plugin that allows a remote attacker to embed arbitrary script. An attacker can execute scripts in the context of the site, potentially hijacking sessions, defacing content, or spreading malware. Because the flaw is stored in the CMS database, the injected payload can persist across users and sessions. The weakness is categorized as Cross‑Site Scripting, specifically an input validation flaw.

Affected Systems

The issue appears in MaxSite CMS versions up to 109.3, specifically affecting the Redirect Plugin component. Users running those versions are susceptible until they upgrade to 109.4 or later, where htmlspecialchars filtering has been added.

Risk and Exploitability

With a CVSS score of 4.8 the vulnerability is considered moderate. The EPSS score is less than 1 %, indicating a low publicly observed exploitation probability, and the vulnerability is not listed in CISA’s KEV. The attack is remote, via the web interface, and does not require authentication, so unauthenticated users may supply malicious payloads through the affected parameters.

Generated by OpenCVE AI on April 28, 2026 at 05:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch commit 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7 (available in release 109.4).
  • If an upgrade is not possible, implement input filtering on the f_all and f_all404 parameters so that only safe characters are accepted.
  • Restrict access to the Redirect Plugin to authenticated administrators only and audit the component for similar input‑validation issues.

Generated by OpenCVE AI on April 28, 2026 at 05:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Maxsite
Maxsite cms
Vendors & Products Maxsite
Maxsite cms

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 26 Apr 2026 02:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in MaxSite CMS up to 109.3. This affects an unknown part of the component Redirect Plugin. The manipulation of the argument f_all/f_all404 results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used. Upgrading to version 109.4 is able to mitigate this issue. The patch is identified as 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. You should upgrade the affected component. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display."
Title MaxSite CMS Redirect Plugin cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Maxsite Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T17:04:16.592Z

Reserved: 2026-04-25T10:13:23.521Z

Link: CVE-2026-7012

cve-icon Vulnrichment

Updated: 2026-04-27T17:04:05.348Z

cve-icon NVD

Status : Deferred

Published: 2026-04-26T02:16:06.487

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7012

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T05:30:23Z

Weaknesses