CVE-2026-37700
Description
MaxSite CMS v.109.2 has a stored XSS vulnerability in the backend file upload endpoint, allowing low-privilege users to disclose sensitive information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MaxSite CMS v.109.2 has a stored XSS vulnerability in the backend file upload endpoint, allowing low-privilege users to disclose sensitive information.
Vulnerability
A stored Cross-Site Scripting (XSS) vulnerability exists in MaxSite CMS version 109.2 within the backend file upload endpoint used by the admin_page plugin. This flaw allows a low-privilege backend user to upload a same-origin HTML file without proper authorization [1]. The vulnerability is present in the uploads-require-maxsite.php file, which is accessible under the /admin_page route [1].
Exploitation
An attacker with low-privilege backend user access can exploit this vulnerability. The attacker needs to upload a crafted HTML file via the file upload endpoint. This uploaded file can then be accessed by a higher-privileged user, triggering a stored client-side attack [1]. The admin_page plugin routes typically enforce permission checks, but this specific endpoint has an access-control flaw [1].
Impact
Successful exploitation of this vulnerability can lead to sensitive information disclosure. When a higher-privileged user views the malicious HTML file uploaded by the attacker, it can trigger a stored client-side attack, potentially revealing backend information to the attacker [1].
Mitigation
MaxSite CMS version 109.2 is affected by this vulnerability. A fixed version and release date are not yet disclosed in the available references. No workarounds are provided at this time [1].
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The backend upload endpoint lacks proper authorization checks, allowing low-privilege users to upload files."
Attack vector
A low-privilege backend user can upload an HTML file to the backend upload endpoint, which is accessible via `/require-maxsite/YWRtaW4vcGx1Z2lucy9hZG1pbl9wYWdlL3VwbG9hZHMtcmVxdWlyZS1tYXhzaXRlLnBocA==`. This endpoint bypasses the intended `admin_page_*` permission checks and only requires a backend login. The uploaded HTML file can contain malicious JavaScript. When a higher-privileged user visits the uploaded file, the script executes in their browser context, potentially leading to information disclosure [ref_id=1].
Affected code
The vulnerability lies within the `uploads-require-maxsite.php` file, which handles file uploads under the `/admin_page` route. Unlike other files in the same directory that enforce permission checks like `admin_page_edit`, this specific file only performs an `is_login()` check, which is insufficient for preventing unauthorized uploads [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on remediation. However, it implies that the vulnerability is caused by insufficient access control on the file upload functionality. A proper fix would involve enforcing the necessary `admin_page_edit` or similar permissions before allowing file uploads, ensuring only authorized users can leverage this feature [ref_id=1].
Preconditions
- authThe attacker must have a low-privilege backend user account.
- networkThe attacker must be able to send HTTP requests to the MaxSite CMS instance.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.