High severityNVD Advisory· Published Aug 5, 2025· Updated Apr 15, 2026

CVE-2012-10032

Description

Maxthon3 versions prior to 3.3 are vulnerable to cross context scripting (XCS) via the about:history page. The browser’s trusted zone improperly handles injected script content, allowing attackers to execute arbitrary JavaScript in a privileged context. This flaw enables modification of browser configuration and execution of arbitrary code through Maxthon’s exposed DOM APIs, including maxthon.program.Program.launch() and maxthon.io.writeDataURL(). Exploitation requires user interaction, typically by visiting a malicious webpage that triggers the injection.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.htmlnvd
raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/browser/maxthon_history_xcs.rbnvd
www.exploit-db.com/exploits/23225nvd
www.fortiguard.com/encyclopedia/ips/34203nvd
www.maxthon.comnvd
www.vulncheck.com/advisories/maxthon3-xcs-trusted-zone-code-execnvd

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.039
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000