CVE-2026-7014

216.73.216.6

· Published 26/04/2026 03:16 · Modified 27/04/2026 18:46

Labels: CVE-2026-7014 2026-04-26 CVE-2026-7014 CWE-79 [email protected]

Essential information

Published: 26/04/2026 03:16
Modified: 27/04/2026 18:46
Author: —
Creator: —
CVSS: 4.8 MEDIUM (v3) 4.8 MEDIUM (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

A flaw has been found in MaxSite CMS up to 109.3. This vulnerability affects unknown code of the component down_count Plugin. This manipulation of the argument f_file/f_prefix causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. Upgrading to version 109.4 is able to resolve this issue. Patch name: 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. The affected component should be upgraded. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display."

NVD status

Status: Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
maxsite / maxsite cms	`cpe:2.3:a:maxsite:maxsite_cms::::::::`