Description
A vulnerability was found in MaxSite CMS up to 109.3. Impacted is an unknown function of the component ushki Plugin. Performing a manipulation of the argument f_ushka_new/f_ushk results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. Upgrading to version 109.4 is recommended to address this issue. The patch is named 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. Upgrading the affected component is recommended. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display."
Published: 2026-04-26
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

A vulnerability was identified in the ushki Plugin of MaxSite CMS versions up to 109.3 that allows an attacker to inject malicious scripts via the f_ushka_new and f_ushk input parameters. The lack of proper output filtering (e.g., missing htmlspecialchars()) enables a stored cross‑site scripting flaw (CWE‑79) that can be triggered remotely. An attacker who successfully injects JavaScript could hijack user sessions, deface content, or exfiltrate sensitive data from the victim’s browser.

Affected Systems

The issue affects all installations of MaxSite CMS running the ushki Plugin with version numbers up to and including 109.3. The vendor’s security advisory specifies that upgrading to version 109.4, which contains patch commit 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7, resolves the flaw. No other product versions or vendors are listed, so the vulnerability is specific to MaxSite CMS.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate severity, and the EPSS score of <1% reflects a very low probability of exploitation at this time. Nonetheless, the vulnerability has a publicly available exploit, and remote exploitation is feasible via crafted web requests to the affected plugin. This flaw is not currently listed in the CISA KEV catalog, but the public nature of the exploit means administrators should not underestimate the risk. Implementing the recommended patch and validating that input is properly sanitized remain the key mitigations.

Generated by OpenCVE AI on April 28, 2026 at 05:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MaxSite CMS to version 109.4 or later, which includes the fixed patch commit.
  • If upgrading is not feasible, apply the source code patch that introduces proper output escaping (e.g., htmlspecialchars()) for the f_ushka_new and f_ushk fields or otherwise sanitize user input before rendering.
  • Deploy a Content Security Policy that restricts inline scripts and mandates that only trusted script sources be executed, thereby limiting the impact of any remaining XSS vectors.

Generated by OpenCVE AI on April 28, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Maxsite
Maxsite cms
Vendors & Products Maxsite
Maxsite cms

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 26 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in MaxSite CMS up to 109.3. Impacted is an unknown function of the component ushki Plugin. Performing a manipulation of the argument f_ushka_new/f_ushk results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. Upgrading to version 109.4 is recommended to address this issue. The patch is named 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. Upgrading the affected component is recommended. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display."
Title MaxSite CMS ushki Plugin cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Maxsite Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T13:51:40.053Z

Reserved: 2026-04-25T10:13:37.217Z

Link: CVE-2026-7016

cve-icon Vulnrichment

Updated: 2026-04-27T13:51:32.707Z

cve-icon NVD

Status : Deferred

Published: 2026-04-26T04:16:08.853

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7016

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T05:30:23Z

Weaknesses