CVE-2026-7013 | MaxSite CMS up to 109.3 mail_send Plugin f_subject/f_files/f_from cross site scripting

A vulnerability, which was classified as problematic, has been found in MaxSite CMS up to 109.3. Affected by this issue is some unknown functionality of the component mail_send Plugin. The manipulation of the argument f_subject/f_files/f_from leads to cross site scripting.

This vulnerability is documented as CVE-2026-7013. The attack can be initiated remotely. Additionally, an exploit exists.

It is advisable to upgrade the affected component.

The vendor was informed early about this issue. They classify it as a “Self-XSS”. They deployed a countermeasure: “Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display.”

CVE-2026-7013 | MaxSite CMS up to 109.3 mail_send Plugin f_subject/f_files/f_from cross site scripting

Post correlati

CVE-2024-3423 | SourceCodester Online Courseware 1.0 admin/activateteach.php selector sql injection

CVE-2023-51633 | Centreon sysName cross site scripting

CVE-2023-32190 | SUSE openSUSE Tumbleweed up to 37.0 Local Privilege Escalation

CVE-2024-32528 | Seerox WP Dynamic Keywords Injector Plugin up to 2.3.18 on WordPress cross site scripting