CVE-2026-7012 | MaxSite CMS up to 109.3 Redirect Plugin f_all/f_all404 cross site scripting

A vulnerability, which was classified as problematic, was found in MaxSite CMS up to 109.3. This affects an unknown part of the component Redirect Plugin. The manipulation of the argument f_all/f_all404 results in cross site scripting.

This vulnerability is reported as CVE-2026-7012. The attack can be launched remotely. Moreover, an exploit is present.

You should upgrade the affected component.

The vendor was informed early about this issue. They classify it as a “Self-XSS”. They deployed a countermeasure: “Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display.”

CVE-2026-7012 | MaxSite CMS up to 109.3 Redirect Plugin f_all/f_all404 cross site scripting

Post correlati

CVE-2023-42505 | Apache Superset up to 2.x Database Connection Metadata information disclosure

CVE-2025-14909 | JeecgBoot up to 3.9.0 SysUserOnlineController.java SysUserOnlineController user session (Issue 9195)

CVE-2023-50585 | Tenda A18 15.13.07.09 formSetDeviceName devName stack-based overflow

CVE-2026-32267 | Craft CMS up to 4.17.5/5.9.11 authorization