CVE-2026-7016

Vulnerability

Overview

CVE-2026-7016 describes a cross-site scripting (XSS) vulnerability in the ushki plugin of MaxSite CMS up to version 109.3. The root cause is the lack of output encoding with htmlspecialchars() when rendering user-supplied values for the parameters f_ushka_new and f_ushk. This allows an attacker to inject arbitrary HTML or JavaScript code that is subsequently stored and displayed to other users [1][3].

Exploitation

To exploit this issue, an attacker must craft a malicious payload and submit it via the affected plugin’s input fields. Because the vulnerability is classified by the vendor as a “Self-XSS,” successful exploitation requires the attacker to trick a legitimate user into entering the payload in their own browser session (e.g., via social engineering). However, once stored, the injected script can execute in the context of any user who views the compromised content, potentially leading to further attacks if the victim is an administrator [2][3].

Impact

An attacker exploiting this flaw can execute arbitrary JavaScript in the browser of a user who accesses the affected page. This could enable theft of session cookies, redirection to malicious sites, or defacement. The CVSS v3 base score of 2.4 reflects the low severity due to the self-XSS nature and the need for user interaction; nonetheless, the vendor acknowledges it as a violation of secure coding standards [1][2].

Mitigation

The issue has been addressed in MaxSite CMS version 109.4. The fix, identified in commit 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7, adds htmlspecialchars() to sanitize the f_logging_file parameter, which was one of the vulnerable fields [1][4]. Users are strongly advised to upgrade to version 109.4 or later to prevent exploitation.