Low severity2.4NVD Advisory· Published Apr 26, 2026· Updated Apr 29, 2026

CVE-2026-7011

Description

A weakness has been identified in MaxSite CMS up to 109.3. Affected by this vulnerability is an unknown functionality of the file /admin/plugin_antispam of the component Antispam Plugin. Executing a manipulation of the argument f_logging_file can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 109.4 addresses this issue. This patch is called 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. Upgrading the affected component is advised. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via htmlspecialchars() has already been fixed in the latest patch to prevent incorrect data display."

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored Self-XSS vulnerability in MaxSite CMS's Antispam plugin allows an admin to inject arbitrary JavaScript via the logging file name field.

Vulnerability

Details

A stored cross-site scripting (XSS) vulnerability exists in the Antispam plugin of MaxSite CMS versions up to 109.3. The flaw resides in the file /admin/plugin_antispam, where the f_logging_file parameter is echoed without proper sanitization. The vendor classifies this as a Self-XSS because only authenticated administrators can modify the setting, but they acknowledge it violates secure coding standards [1][4].

Exploitation

An attacker with administrative access to the MaxSite CMS admin panel can set the logging file name to a malicious JavaScript payload. When the antispam settings page is rendered, the payload executes in the context of the administrator's browser. The attack is remote but requires prior authentication as an admin [1][4].

Impact

As a Self-XSS, the direct impact is limited to the administrator's session. However, if an attacker can trick an admin into visiting a crafted link or if the admin's session is hijacked, the XSS could be leveraged to perform actions on behalf of the admin. The vendor considers this a low-severity issue [1][4].

Mitigation

The vulnerability is fixed in MaxSite CMS version 109.4. The commit 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7 adds htmlspecialchars() to sanitize the output. Users are strongly advised to upgrade to the latest version [1][3].

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Maxsite/Maxsitellm-fuzzy
Range: <=109.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

LowCVSS v3.1

2.4/ 10

CVSS v41.9

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: High
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.01%

VYPR risk score

Composite of severity, exploitation, and reach.

0.16low

cvss	0.156
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-7011

Source code

github.com/maxsite/cms/

Credits

K(
konchan (VulDB User)
reporter
VC
VulDB CNA Team
coordinator