CVE-2026-7429: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in siteserver SSCMS
SSCMS v7.4.0 contains a reflected cross-site scripting vulnerability in the STL processing endpoint that allows attackers to execute arbitrary JavaScript by crafting malicious STL template payloads that are decrypted and returned without proper sanitization. Attackers can exploit improper output encoding in the /api/stl/actions/dynamic endpoint to inject executable JavaScript into JSON responses, leading to session hijacking, phishing attacks, and unauthorized actions performed on behalf of users.
AI Analysis
Technical Summary
CVE-2026-7429 is a reflected cross-site scripting vulnerability (CWE-79) in siteserver SSCMS version 7.4.0. The issue arises from improper output encoding in the /api/stl/actions/dynamic endpoint, where malicious STL template payloads are decrypted and returned without adequate sanitization. This allows attackers to inject arbitrary JavaScript into JSON responses, potentially enabling session hijacking, phishing, or unauthorized user actions. The vulnerability has a CVSS 4.0 score of 2.1, reflecting low severity. No patch or official remediation level has been published by the vendor, and the product is not a cloud service.
Potential Impact
Successful exploitation of this vulnerability could allow attackers to execute arbitrary JavaScript in the context of affected users' browsers. This may lead to session hijacking, phishing attacks, or unauthorized actions performed on behalf of users. However, the CVSS score of 2.1 and the low severity rating indicate that the overall impact and exploitability are limited. There are no known active exploits in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided, users should monitor vendor communications for updates. Until a patch is available, consider applying input validation or output encoding controls at the application or web server level if feasible. Avoid using the vulnerable endpoint with untrusted input where possible.
CVE-2026-7429: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in siteserver SSCMS
Description
SSCMS v7.4.0 contains a reflected cross-site scripting vulnerability in the STL processing endpoint that allows attackers to execute arbitrary JavaScript by crafting malicious STL template payloads that are decrypted and returned without proper sanitization. Attackers can exploit improper output encoding in the /api/stl/actions/dynamic endpoint to inject executable JavaScript into JSON responses, leading to session hijacking, phishing attacks, and unauthorized actions performed on behalf of users.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-7429 is a reflected cross-site scripting vulnerability (CWE-79) in siteserver SSCMS version 7.4.0. The issue arises from improper output encoding in the /api/stl/actions/dynamic endpoint, where malicious STL template payloads are decrypted and returned without adequate sanitization. This allows attackers to inject arbitrary JavaScript into JSON responses, potentially enabling session hijacking, phishing, or unauthorized user actions. The vulnerability has a CVSS 4.0 score of 2.1, reflecting low severity. No patch or official remediation level has been published by the vendor, and the product is not a cloud service.
Potential Impact
Successful exploitation of this vulnerability could allow attackers to execute arbitrary JavaScript in the context of affected users' browsers. This may lead to session hijacking, phishing attacks, or unauthorized actions performed on behalf of users. However, the CVSS score of 2.1 and the low severity rating indicate that the overall impact and exploitability are limited. There are no known active exploits in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided, users should monitor vendor communications for updates. Until a patch is available, consider applying input validation or output encoding controls at the application or web server level if feasible. Avoid using the vulnerable endpoint with untrusted input where possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-04-29T15:02:13.637Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f3b63fcbff5d86107c4f7b
Added to database: 4/30/2026, 8:06:23 PM
Last enriched: 4/30/2026, 8:21:24 PM
Last updated: 5/1/2026, 7:15:19 AM
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.