Low severity2.4NVD Advisory· Published Apr 26, 2026· Updated Apr 29, 2026

CVE-2026-7013

Description

A security vulnerability has been detected in MaxSite CMS up to 109.3. Affected by this issue is some unknown functionality of the component mail_send Plugin. The manipulation of the argument f_subject/f_files/f_from leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 109.4 can resolve this issue. The identifier of the patch is 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. It is advisable to upgrade the affected component. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via htmlspecialchars() has already been fixed in the latest patch to prevent incorrect data display."

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MaxSite CMS up to 109.3 has a stored XSS vulnerability in the mail_send plugin via unsanitized f_subject, f_files, and f_from parameters.

Vulnerability

Overview

CVE-2026-7013 is a stored cross-site scripting (XSS) vulnerability found in MaxSite CMS versions up to 109.3. The issue resides in the mail_send plugin, where the parameters f_subject, f_files, and f_from are not properly sanitized before being processed. The vendor classifies this as a "Self-XSS" and states that the lack of filtering via htmlspecialchars() has been fixed in the latest patch [1].

Exploitation

An attacker can exploit this vulnerability remotely by crafting malicious input in the affected parameters of the mail_send plugin. The attack does not require authentication, as the plugin's functionality is accessible to unauthenticated users. The exploit has been publicly disclosed, increasing the risk of active exploitation [4].

Impact

Successful exploitation allows an attacker to inject arbitrary JavaScript code into the application's context. Since this is classified as a Self-XSS, the injected script would execute in the context of the victim's session, potentially leading to data theft, session hijacking, or other client-side attacks. The CVSS v3 score of 2.4 reflects the low severity due to the self-XSS nature, but the public availability of exploit details elevates the practical risk.

Mitigation

The vulnerability is patched in MaxSite CMS version 109.4. The fix involves adding htmlspecialchars() to sanitize the f_logging_file parameter, which addresses the root cause of the XSS [1]. Users are strongly advised to upgrade to version 109.4 or apply the patch commit 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7 [1]. No workarounds have been provided by the vendor.

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

LowCVSS v3.1

2.4/ 10

CVSS v41.9

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: High
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.16low

cvss	0.156
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-7013

Source code

github.com/maxsite/cms/

Credits

K(
konchan (VulDB User)
reporter
VC
VulDB CNA Team
coordinator