CVE-2026-7016: Cross Site Scripting in MaxSite CMS
CVE-2026-7016 is a cross-site scripting (XSS) vulnerability in MaxSite CMS versions up to 109. 3, specifically in the ushki plugin component. The issue arises from improper filtering of input arguments f_ushka_new/f_ushk, allowing remote attackers to inject malicious scripts. The vendor classifies this as a Self-XSS issue and has released a patch in version 109. 4 that applies htmlspecialchars() filtering to prevent incorrect data display. The vulnerability has a medium severity with a CVSS score of 4. 8. Users are recommended to upgrade to version 109. 4 to remediate the issue.
AI Analysis
Technical Summary
MaxSite CMS versions 109.0 through 109.3 contain a cross-site scripting vulnerability in the ushki plugin due to lack of proper input sanitization on the f_ushka_new/f_ushk arguments. This allows remote attackers to perform XSS attacks by injecting malicious scripts. The vendor has addressed this by adding htmlspecialchars() filtering in version 109.4, which prevents the vulnerability by ensuring correct data display and input handling. The vulnerability is classified as Self-XSS by the vendor, indicating that exploitation requires user interaction with crafted input. The CVSS 4.8 score reflects a medium severity with network attack vector and low complexity.
Potential Impact
The vulnerability allows remote attackers to execute cross-site scripting attacks by manipulating specific input parameters in the ushki plugin of MaxSite CMS. This could lead to the execution of malicious scripts in the context of the affected site. However, the vendor classifies this as a Self-XSS issue, implying that exploitation requires user interaction and is less likely to be exploited in widespread attacks. The vulnerability has been publicly disclosed but no known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade MaxSite CMS to version 109.4 or later, where the vulnerability is fixed by applying htmlspecialchars() filtering to the affected input parameters. This official patch addresses the root cause and prevents the XSS condition. No additional mitigation is required as the vendor has deployed this fix and recommends upgrading.
CVE-2026-7016: Cross Site Scripting in MaxSite CMS
Description
CVE-2026-7016 is a cross-site scripting (XSS) vulnerability in MaxSite CMS versions up to 109. 3, specifically in the ushki plugin component. The issue arises from improper filtering of input arguments f_ushka_new/f_ushk, allowing remote attackers to inject malicious scripts. The vendor classifies this as a Self-XSS issue and has released a patch in version 109. 4 that applies htmlspecialchars() filtering to prevent incorrect data display. The vulnerability has a medium severity with a CVSS score of 4. 8. Users are recommended to upgrade to version 109. 4 to remediate the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
MaxSite CMS versions 109.0 through 109.3 contain a cross-site scripting vulnerability in the ushki plugin due to lack of proper input sanitization on the f_ushka_new/f_ushk arguments. This allows remote attackers to perform XSS attacks by injecting malicious scripts. The vendor has addressed this by adding htmlspecialchars() filtering in version 109.4, which prevents the vulnerability by ensuring correct data display and input handling. The vulnerability is classified as Self-XSS by the vendor, indicating that exploitation requires user interaction with crafted input. The CVSS 4.8 score reflects a medium severity with network attack vector and low complexity.
Potential Impact
The vulnerability allows remote attackers to execute cross-site scripting attacks by manipulating specific input parameters in the ushki plugin of MaxSite CMS. This could lead to the execution of malicious scripts in the context of the affected site. However, the vendor classifies this as a Self-XSS issue, implying that exploitation requires user interaction and is less likely to be exploited in widespread attacks. The vulnerability has been publicly disclosed but no known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade MaxSite CMS to version 109.4 or later, where the vulnerability is fixed by applying htmlspecialchars() filtering to the affected input parameters. This official patch addresses the root cause and prevents the XSS condition. No additional mitigation is required as the vendor has deployed this fix and recommends upgrading.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-04-25T10:13:37.217Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ed8f2c87115cfb68a3f64a
Added to database: 4/26/2026, 4:06:04 AM
Last enriched: 4/26/2026, 4:21:09 AM
Last updated: 4/26/2026, 6:37:43 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.