Description
SSCMS v7.4.0 contains a reflected cross-site scripting vulnerability in the STL processing endpoint that allows attackers to execute arbitrary JavaScript by crafting malicious STL template payloads that are decrypted and returned without proper sanitization. Attackers can exploit improper output encoding in the /api/stl/actions/dynamic endpoint to inject executable JavaScript into JSON responses, leading to session hijacking, phishing attacks, and unauthorized actions performed on behalf of users.
Published: 2026-04-30
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a reflected XSS vulnerability found in the STL processing endpoint of SSCMS v7.4.0. Malicious STL templates are decrypted and inserted into JSON responses without proper sanitization, allowing an attacker to inject executable JavaScript. This can compromise user sessions, perform phishing attacks, or trigger actions on behalf of authenticated users. The weakness is of type CWE‑79, representing untrusted input rendered without encoding.

Affected Systems

The affected product is Siteserver SSCMS version 7.4.0, which is used to publish the /api/stl/actions/dynamic endpoint that processes STL payloads.

Risk and Exploitability

The CVSS score is 2.1, indicating low severity. The EPSS score is not available, so the likelihood of exploitation is uncertain. The vulnerability is not listed in the CISA KEV catalog. Attackers would need access to the vulnerable endpoint to craft a malicious STL payload, suggesting that restricting endpoint exposure reduces attack feasibility.

Generated by OpenCVE AI on May 1, 2026 at 05:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SSCMS to the latest version where the STL processing sanitization issue has been fixed.
  • Limit or disable the /api/stl/actions/dynamic endpoint to trusted traffic only, or enforce strict input validation to reject arbitrary STL payloads.
  • Implement strong output encoding and a Content‑Security‑Policy header for JSON responses to mitigate any residual XSS impact.

Generated by OpenCVE AI on May 1, 2026 at 05:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Siteserver
Siteserver sscms
Vendors & Products Siteserver
Siteserver sscms

Thu, 30 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description SSCMS v7.4.0 contains a reflected cross-site scripting vulnerability in the STL processing endpoint that allows attackers to execute arbitrary JavaScript by crafting malicious STL template payloads that are decrypted and returned without proper sanitization. Attackers can exploit improper output encoding in the /api/stl/actions/dynamic endpoint to inject executable JavaScript into JSON responses, leading to session hijacking, phishing attacks, and unauthorized actions performed on behalf of users.
Title SSCMS v7.4.0 Reflected Cross-Site Scripting via STL Processing
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Siteserver Sscms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-30T20:03:47.740Z

Reserved: 2026-04-29T15:02:13.637Z

Link: CVE-2026-7429

cve-icon Vulnrichment

Updated: 2026-04-30T20:02:07.177Z

cve-icon NVD

Status : Deferred

Published: 2026-04-30T20:16:24.997

Modified: 2026-05-01T15:28:46.093

Link: CVE-2026-7429

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:21:07Z

Weaknesses