Description
A flaw has been found in MaxSite CMS up to 109.3. This vulnerability affects unknown code of the component down_count Plugin. This manipulation of the argument f_file/f_prefix causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. Upgrading to version 109.4 is able to resolve this issue. Patch name: 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. The affected component should be upgraded. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display."
Published: 2026-04-26
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

A stored cross‑site scripting vulnerability exists in the down_count plugin of MaxSite CMS. By manipulating the f_file or f_prefix parameters, an attacker can inject arbitrary scripts that are rendered as page content. If successful, the injected code executes in the browsers of other users who view the affected page, potentially allowing session hijacking, credential theft, or defacement. The flaw is caused by inadequate filtering of user input before it is displayed and is classified by the vendor as a Self‑XSS type of misuse.

Affected Systems

All installations of MaxSite CMS up to but not including version 109.4 that use the down_count plugin are affected. The vulnerability is limited to the code of this specific plugin and can be remedied by upgrading the CMS to version 109.4 or higher, which contains the corrected plugin.

Risk and Exploitability

The overall cyber security impact rating is a moderate CVSS score of 4.8, and the EPSS score of less than 1% indicates a low likelihood of exploitation in the general environment. The vulnerability is not listed as a known exploited vulnerability by CISA. An attacker can trigger the flaw remotely by sending crafted HTTP requests that provide malicious values for f_file or f_prefix; the published exploit demonstrates the feasibility of this attack vector.

Generated by OpenCVE AI on April 28, 2026 at 05:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MaxSite CMS to version 109.4 or later, which contains the fixed down_count plugin.
  • If an upgrade is not immediately possible, apply the individual patch commit 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7 to the affected plugin files.
  • Validate and sanitize all parameters passed to the down_count plugin, ensuring that inputs such as f_file and f_prefix are passed through htmlspecialchars() or equivalent before rendering.

Generated by OpenCVE AI on April 28, 2026 at 05:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Maxsite
Maxsite cms
Vendors & Products Maxsite
Maxsite cms

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 26 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in MaxSite CMS up to 109.3. This vulnerability affects unknown code of the component down_count Plugin. This manipulation of the argument f_file/f_prefix causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. Upgrading to version 109.4 is able to resolve this issue. Patch name: 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. The affected component should be upgraded. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display."
Title MaxSite CMS down_count Plugin cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Maxsite Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T13:24:06.084Z

Reserved: 2026-04-25T10:13:29.850Z

Link: CVE-2026-7014

cve-icon Vulnrichment

Updated: 2026-04-27T13:24:00.521Z

cve-icon NVD

Status : Deferred

Published: 2026-04-26T03:16:00.353

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7014

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T05:30:23Z

Weaknesses