CVE-2026-7015: Cross Site Scripting in MaxSite CMS
A vulnerability has been found in MaxSite CMS up to 109.3. This issue affects some unknown processing of the component Guestbook Plugin. Such manipulation of the argument f_text/f_slug/f_limit/f_email leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 109.4 is capable of addressing this issue. The name of the patch is 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. It is suggested to upgrade the affected component. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display."
AI Analysis
Technical Summary
This vulnerability in MaxSite CMS affects the Guestbook Plugin's processing of input parameters f_text, f_slug, f_limit, and f_email, allowing cross-site scripting due to lack of proper output encoding. The vendor fixed the issue by adding htmlspecialchars() filtering in version 109.4, which prevents incorrect data display and mitigates the XSS risk. The vulnerability is classified as a 'Self-XSS' by the vendor, indicating that exploitation requires user interaction with their own input. The CVSS 4.0 base score is 4.8 (medium severity), reflecting network attack vector, low complexity, and required user interaction.
Potential Impact
Successful exploitation could allow an attacker to execute arbitrary scripts in the context of the affected user's browser, potentially leading to session hijacking or other client-side impacts. However, since the vendor classifies this as a 'Self-XSS', the risk is somewhat limited as it requires the victim to interact with malicious input they control. There are no known exploits in the wild at this time.
Mitigation Recommendations
A fix is available in MaxSite CMS version 109.4, which includes proper filtering of input via htmlspecialchars() to prevent XSS. It is recommended to upgrade affected installations to version 109.4 to remediate this vulnerability. Since the vendor has deployed this official fix, no additional mitigation steps are necessary.
CVE-2026-7015: Cross Site Scripting in MaxSite CMS
Description
A vulnerability has been found in MaxSite CMS up to 109.3. This issue affects some unknown processing of the component Guestbook Plugin. Such manipulation of the argument f_text/f_slug/f_limit/f_email leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 109.4 is capable of addressing this issue. The name of the patch is 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. It is suggested to upgrade the affected component. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display."
CVSS v4.0
Score 4.8medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in MaxSite CMS affects the Guestbook Plugin's processing of input parameters f_text, f_slug, f_limit, and f_email, allowing cross-site scripting due to lack of proper output encoding. The vendor fixed the issue by adding htmlspecialchars() filtering in version 109.4, which prevents incorrect data display and mitigates the XSS risk. The vulnerability is classified as a 'Self-XSS' by the vendor, indicating that exploitation requires user interaction with their own input. The CVSS 4.0 base score is 4.8 (medium severity), reflecting network attack vector, low complexity, and required user interaction.
Potential Impact
Successful exploitation could allow an attacker to execute arbitrary scripts in the context of the affected user's browser, potentially leading to session hijacking or other client-side impacts. However, since the vendor classifies this as a 'Self-XSS', the risk is somewhat limited as it requires the victim to interact with malicious input they control. There are no known exploits in the wild at this time.
Mitigation Recommendations
A fix is available in MaxSite CMS version 109.4, which includes proper filtering of input via htmlspecialchars() to prevent XSS. It is recommended to upgrade affected installations to version 109.4 to remediate this vulnerability. Since the vendor has deployed this official fix, no additional mitigation steps are necessary.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-04-25T10:13:32.971Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Epss Score
- 0.00033
- Epss Percentile
- 0.09731
- Epss Date
- 2026-04-26
- Gcve Source
- db.gcve.eu
Threat ID: 69ed7d9287115cfb68904a2e
Added to database: 4/26/2026, 2:50:58 AM
Last enriched: 5/3/2026, 7:26:19 AM
Last updated: 6/10/2026, 7:24:14 AM
Views: 102
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.