Description
A security vulnerability has been detected in MaxSite CMS up to 109.3. Affected by this issue is some unknown functionality of the component mail_send Plugin. The manipulation of the argument f_subject/f_files/f_from leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 109.4 can resolve this issue. The identifier of the patch is 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. It is advisable to upgrade the affected component. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display."
Published: 2026-04-26
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting
Action: Patch
AI Analysis

Impact

A flaw exists in the mail_send plugin of MaxSite CMS through version 109.3 that allows an attacker to embed arbitrary JavaScript into the f_subject, f_files, or f_from fields. The injected code is rendered in browsers without proper output encoding, creating a stored cross‑site scripting (XSS) vector. The vendor classifies it as a Self‑XSS issue and notes that the lack of htmlspecialchars() filtering caused the vulnerability.

Affected Systems

MaxSite CMS (MaxSite:CMS) versions up to 109.3 are affected, specifically the mail_send component which accepts the f_subject, f_files, and f_from parameters. Installing the patch released in version 109.4 (commit 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7) removes the flaw by adding the necessary output sanitization.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, while the EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, suggesting a low current exploitation probability. The attack is remotely accessible; an adversary only needs to submit a crafted request to the mail_send endpoint, after which the malicious script is stored and executed for any user who views the content. Public disclosure is available, so unpatched installations remain susceptible to repeated exploitation by anyone with network access to the CMS.

Generated by OpenCVE AI on April 28, 2026 at 05:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch to MaxSite CMS version 109.4, which updates the mail_send plugin to use htmlspecialchars() on all output.
  • If an immediate upgrade is not possible, modify the mail_send code to wrap the f_subject, f_from, and f_files values with htmlspecialchars() before rendering them to the browser.
  • Conduct a targeted XSS test against the mail_send endpoint to confirm that arbitrary script payloads are no longer executed, and revise the test matrix as new plugins or fields are added.

Generated by OpenCVE AI on April 28, 2026 at 05:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Maxsite
Maxsite cms
Vendors & Products Maxsite
Maxsite cms

Mon, 27 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 26 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in MaxSite CMS up to 109.3. Affected by this issue is some unknown functionality of the component mail_send Plugin. The manipulation of the argument f_subject/f_files/f_from leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 109.4 can resolve this issue. The identifier of the patch is 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. It is advisable to upgrade the affected component. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display."
Title MaxSite CMS mail_send Plugin cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Maxsite Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T12:41:59.493Z

Reserved: 2026-04-25T10:13:26.890Z

Link: CVE-2026-7013

cve-icon Vulnrichment

Updated: 2026-04-27T12:41:52.873Z

cve-icon NVD

Status : Deferred

Published: 2026-04-26T03:16:00.153

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7013

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T05:30:23Z

Weaknesses