Low severity2.4NVD Advisory· Published Apr 26, 2026· Updated Apr 29, 2026

CVE-2026-7014

Description

A flaw has been found in MaxSite CMS up to 109.3. This vulnerability affects unknown code of the component down_count Plugin. This manipulation of the argument f_file/f_prefix causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. Upgrading to version 109.4 is able to resolve this issue. Patch name: 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. The affected component should be upgraded. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via htmlspecialchars() has already been fixed in the latest patch to prevent incorrect data display."

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored cross-site scripting (Self-XSS) vulnerability in the down_count plugin of MaxSite CMS up to 109.3 allows remote attackers to inject malicious scripts via unfiltered f_file/f_prefix parameters.

Vulnerability

Overview A stored cross-site scripting (XSS) vulnerability exists in the down_count plugin of MaxSite CMS versions up to 109.3. The root cause is the absence of output encoding with htmlspecialchars() when handling the f_file and f_prefix arguments, as confirmed by the vendor's own assessment [1]. This lack of sanitization allows an attacker to inject arbitrary HTML or JavaScript into the plugin's interface.

Exploitation

Path An attacker can initiate the attack remotely by crafting a malicious payload in the f_file or f_prefix parameter [1]. Since the parameter values are stored and later displayed without proper escaping, the injected script executes in the context of the affected admin page. The vendor classifies this as 'Self-XSS', meaning the attacker must trick an authenticated administrator into visiting a specially crafted link or submit the payload themselves [1].

Impact

Successful exploitation results in the execution of attacker-controlled scripts within the browser session of the administrator, potentially leading to unauthorized actions, data theft, or configuration changes under the admin's privileges. The CVSS v3 base score of 2.4 (Low) reflects the need for user interaction and the limited scope of self-XSS [CVE description].

Mitigation

The issue is addressed in version 109.4, which applies htmlspecialchars() to the affected parameters [1]. Users are advised to upgrade to the latest version [2]. A patch identified by commit hash 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7 is available in the official repository [1].

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Statamic/CMSllm-fuzzy
Range: <=109.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

LowCVSS v3.1

2.4/ 10

CVSS v41.9

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: High
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.01%

VYPR risk score

Composite of severity, exploitation, and reach.

0.16low

cvss	0.156
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-7014

Source code

github.com/maxsite/cms/

Credits

K(
konchan (VulDB User)
reporter
VC
VulDB CNA Team
coordinator