50 CVEs tracked today. 1 Critical, 16 High, 16 Medium, 17 Low.
-
CVE-2026-42363
CRITICAL
CVSS 9.3
Credential disclosure in GeoVision GV-IP Device Utility 9.0.5 allows network attackers to intercept administrator passwords via broadcast UDP traffic containing symmetric encryption keys. When administrators issue privileged commands to GeoVision IP devices, the utility broadcasts credentials encrypted with a Blowfish-derived algorithm but includes the decryption key in the same packet, enabling passive network eavesdropping to extract full device credentials. CVSS 9.3 (Critical) with scope change reflects the pivot risk from utility compromise to full device control, including IP reconfiguration and factory resets.
Information Disclosure
-
CVE-2026-42255
HIGH
CVSS 7.2
DNS traffic amplification via cyclic nameserver delegation in Technitium DNS Server versions before 15.0 enables unauthenticated remote attackers to conduct distributed denial-of-service (DDoS) attacks. Attackers can exploit misconfigured or maliciously crafted DNS delegation chains to create resolution loops, forcing the server to generate significantly larger response traffic than the initial query size. This amplification can be weaponized against third-party victims, with the vulnerable server acting as an unwitting participant in reflection attacks. CVSS 7.2 (High) reflects network-accessible exploitation requiring no authentication, with cross-scope impact affecting availability and integrity of downstream systems.
Information Disclosure
-
CVE-2026-7057
HIGH
CVSS 7.4
Buffer overflow in Tenda F456 router firmware 1.0.0.5 enables remote authenticated attackers to achieve arbitrary code execution via crafted HTTP requests to the /goform/setcfm endpoint in the httpd service. The vulnerability affects the funcname and funcpara1 parameters and has a publicly available exploit on GitHub, significantly lowering the barrier for exploitation. CVSS v4.0 base score of 7.4 reflects high confidentiality, integrity, and availability impact with low attack complexity, though the requirement for low-privilege authentication provides some defense. No vendor patch has been identified for this IoT router vulnerability.
Buffer Overflow
Tenda
-
CVE-2026-7056
HIGH
CVSS 7.4
Buffer overflow in Tenda F456 router firmware 1.0.0.5 allows authenticated remote attackers to achieve arbitrary code execution with high impact to confidentiality, integrity, and availability. The vulnerability resides in the SafeUrlFilter functionality of the httpd web server component, triggered by manipulating the 'page' parameter. A public proof-of-concept exploit is available on GitHub, significantly lowering the barrier to exploitation, though no CISA KEV listing or widespread exploitation has been confirmed at time of analysis.
Buffer Overflow
Tenda
-
CVE-2026-7055
HIGH
CVSS 7.4
Remote code execution in Tenda F456 router firmware 1.0.0.5 allows authenticated attackers to overflow buffers in the httpd service via crafted menufacturer/Go parameters to the VirtualSer endpoint. Public exploit code exists on GitHub (Litengzheng/vuldb_new), enabling attackers with low-privilege credentials to achieve complete system compromise. While CVSS rates this 7.4 (High) with network attack vector and low complexity, the requirement for authentication (PR:L) moderates real-world risk compared to unauthenticated RCE - priority depends on whether default credentials are documented or credential stuffing is viable against target deployments.
Buffer Overflow
Tenda
-
CVE-2026-7054
HIGH
CVSS 7.4
Buffer overflow in Tenda F456 router firmware 1.0.0.5 allows authenticated remote attackers to execute arbitrary code via malformed PPTP client parameters. The vulnerability resides in the fromPptpUserAdd function of the httpd web server component, specifically through manipulation of the opttype/usernamewith arguments. Public exploit code is available on GitHub, significantly lowering the barrier for exploitation against internet-exposed Tenda F456 devices with default or weak administrative credentials.
Buffer Overflow
Tenda
-
CVE-2026-7053
HIGH
CVSS 7.4
Buffer overflow in Tenda F456 router firmware version 1.0.0.5 enables authenticated remote attackers to achieve complete system compromise via crafted HTTP requests to the /goform/L7Prot endpoint. The vulnerability affects the frmL7ProtForm function in the httpd component, triggered by malicious 'page' parameter manipulation. Public exploit code exists on GitHub (Litengzheng/vuldb_new), significantly lowering the barrier to exploitation despite requiring low-privilege authentication (PR:L). CVSS 7.4 reflects high confidentiality, integrity, and availability impact with network attack vector and low complexity.
Buffer Overflow
Tenda
-
CVE-2026-7039
HIGH
CVSS 7.1
Command injection in ssh-mcp versions up to 1.5.0 allows authenticated local users to execute arbitrary OS commands via the Description parameter to the shell.write function in src/index.ts. Publicly available exploit code exists (GitHub issue #44) demonstrating the vulnerability. Despite CVSS 7.1 severity, real-world risk is moderate due to local-only attack vector and low EPSS score (0.06%, 18th percentile), indicating minimal observed exploitation attempts. Vendor has not responded to early disclosure via issue report.
Command Injection
-
CVE-2026-7037
HIGH
CVSS 8.9
OS command injection in Totolink A8000RU firmware 7.1cu.643_b20200521 enables remote unauthenticated attackers to execute arbitrary system commands via the pptpPassThru parameter in the setVpnPassCfg function. Public exploit code exists on GitHub, dramatically lowering the barrier to exploitation. CVSS v4.0 base score of 8.9 reflects network attack vector, low complexity, and no authentication requirements, with high impact to confidentiality, integrity, and availability of the vulnerable device.
Command Injection
-
CVE-2026-7035
HIGH
CVSS 7.4
Stack-based buffer overflow in Tenda FH1202 router firmware 1.2.0.14 allows authenticated remote attackers to execute arbitrary code via crafted HTTP requests to the /goform/WrlclientSet endpoint. The vulnerability resides in the fromWrlclientSet function of the httpd component, triggered by malicious 'Go' parameter input. Publicly available proof-of-concept exploit code increases immediate exploitation risk for exposed devices. EPSS data not provided, but public POC and low attack complexity (AC:L) indicate elevated real-world risk despite authentication requirement (PR:L).
Buffer Overflow
Stack Overflow
Tenda
-
CVE-2026-7034
HIGH
CVSS 7.4
Stack-based buffer overflow in Tenda FH1202 router firmware 1.2.0.14(408) allows authenticated remote attackers to execute arbitrary code via crafted 'Go' parameter to the /goform/WrlExtraSet endpoint in the httpd service. A public proof-of-concept exploit exists (GitHub), enabling reliable exploitation despite low attack complexity. CVSS 7.4 (High) severity reflects significant impact potential, though exploitation requires valid user credentials (PR:L), limiting mass-scale attacks to scenarios where default/weak credentials are common in Tenda routers.
Buffer Overflow
Stack Overflow
Tenda
-
CVE-2026-7033
HIGH
CVSS 7.4
Buffer overflow in Tenda F456 router firmware 1.0.0.5 allows authenticated remote attackers to achieve high-impact compromise of device confidentiality, integrity, and availability through crafted input to the SafeClientFilter function. A proof-of-concept exploit has been published on GitHub, increasing the likelihood of exploitation attempts against exposed management interfaces. While authentication is required (PR:L), the low attack complexity (AC:L) and network accessibility (AV:N) make this exploitable by attackers with basic router credentials.
Buffer Overflow
Tenda
-
CVE-2026-7032
HIGH
CVSS 7.4
Buffer overflow in Tenda F456 wireless router firmware 1.0.0.5 allows authenticated remote attackers to achieve arbitrary code execution through the SafeEmailFilter function. The vulnerability requires low-privilege authentication but enables complete system compromise (confidentiality, integrity, and availability impact all rated High). A public exploit has been published on GitHub, significantly lowering the barrier for exploitation, though no CISA KEV listing or EPSS data indicates the attack remains targeted rather than widespread at this time.
Buffer Overflow
Tenda
-
CVE-2026-7031
HIGH
CVSS 7.4
Buffer overflow in Tenda F456 router version 1.0.0.5 allows authenticated remote attackers to achieve complete device compromise via crafted HTTP requests to the /goform/SafeMacFilter endpoint. The vulnerability resides in the fromSafeMacFilter function's improper validation of the 'page' parameter. Public exploit code is available on GitHub, significantly lowering the technical barrier for exploitation. CVSS 7.4 (High) reflects the network attack vector and high impact across confidentiality, integrity, and availability, though exploitation requires low-privilege authentication.
Buffer Overflow
Tenda
-
CVE-2026-7030
HIGH
CVSS 7.4
Remote code execution in Tenda F456 router firmware version 1.0.0.5 allows authenticated attackers to crash the device or execute arbitrary code via buffer overflow in the RouteStatic configuration handler. The vulnerability targets the 'page' parameter in /goform/RouteStatic endpoint and requires only low-privilege authentication (CVSS PR:L). A publicly available proof-of-concept exploit exists on GitHub, significantly lowering the technical barrier for exploitation. The CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact with low attack complexity (AC:L) and network-based attack vector (AV:N).
Buffer Overflow
Tenda
-
CVE-2026-7029
HIGH
CVSS 7.4
Buffer overflow in Tenda F456 router firmware version 1.0.0.5 allows authenticated remote attackers to execute arbitrary code or crash the device by sending malformed HTTP requests to the /goform/addressNat endpoint. The vulnerability exists in the fromaddressNat function and is actively exploitable with publicly available proof-of-concept code. CVSS 7.4 with low attack complexity indicates straightforward exploitation once authenticated, while EPSS data (if available) would contextualize real-world exploitation likelihood beyond the confirmed POC availability.
Buffer Overflow
Tenda
-
CVE-2026-7019
HIGH
CVSS 7.4
Remote code execution in Tenda F456 router firmware 1.0.0.5 allows authenticated attackers to crash the device or execute arbitrary code via buffer overflow in the fromP2pListFilter function. Exploitation requires low-privilege authentication (PR:L) and is network-accessible (AV:N) with low attack complexity (AC:L). Publicly available exploit code exists (CVSS E:P), significantly lowering the barrier to exploitation. EPSS data not provided, but public POC availability and router attack surface suggest moderate real-world risk for exposed management interfaces.
Buffer Overflow
Tenda
-
CVE-2026-42254
MEDIUM
CVSS 4.0
Hickory DNS recursor versions 0.1 through 0.25.2 allow cross-zone DNS poisoning attacks due to cached DNS responses not being directly associated with the query that triggered them, enabling attackers to inject malicious DNS records across zone boundaries and potentially redirect traffic to attacker-controlled servers without user interaction or authentication.
Information Disclosure
-
CVE-2026-7066
MEDIUM
CVSS 5.5
Remote OS command injection in simple-openstack-mcp allows unauthenticated attackers to execute arbitrary system commands via the exec_openstack function in server.py. The vulnerability affects all deployments up to commit 767b2f4a8154cca344344b9725537a58399e6036, with confirmed publicly available exploit code (GitHub issue #3). CVSS 7.3 severity reflects network attack vector with no authentication required, enabling direct system compromise. Project maintainer has not responded to vulnerability disclosure at time of analysis.
Command Injection
-
CVE-2026-7065
MEDIUM
CVSS 5.5
Server-side request forgery (SSRF) in BuildingAI up to version 26.0.1 allows remote unauthenticated attackers to abuse the Remote Upload API's uploadRemoteFile function by manipulating the url parameter, enabling unauthorized access to internal resources, data exfiltration from cloud metadata services, and potential pivoting to internal network systems. A publicly available exploit exists (GitHub issue #110), but the vendor has not responded to disclosure. CVSS 7.3 with EPSS data unavailable; exploitation requires no authentication and low attack complexity (AV:N/AC:L/PR:N/UI:N), making this a high-priority remediation target despite unknown CISA KEV status.
SSRF
-
CVE-2026-7064
MEDIUM
CVSS 5.5
Remote unauthenticated attackers can inject arbitrary operating system commands through the browser-connector.ts file in AgentDeskAI browser-tools-mcp versions up to 1.2.0, leading to command execution with application privileges. The vulnerability stems from improper input sanitization in file browser processing and has been published with publicly available exploit code; the vendor has been notified but has not yet released a patch.
Command Injection
-
CVE-2026-7063
MEDIUM
CVSS 5.5
SQL injection in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to extract, modify, or delete database contents via the pwd parameter in /370project/process/eprocess.php. CVSS 7.3 (High) with network vector and no prerequisites. Publicly available exploit code exists on GitHub, enabling immediate weaponization. No vendor-released patch identified at time of analysis. EPSS data unavailable; not listed in CISA KEV, suggesting targeted rather than widespread exploitation despite public POC.
PHP
SQLi
-
CVE-2026-7062
MEDIUM
CVSS 5.5
OS command injection in Intina47 context-sync through version 2.0.0 allows remote unauthenticated attackers to execute arbitrary system commands via the Git integration module (src/git-integration.ts). CVSS 7.3 with network attack vector and no authentication required indicates significant exposure. Publicly available exploit code exists (wing3e/public_exp repository), though no CISA KEV listing suggests exploitation remains limited to proof-of-concept demonstrations rather than widespread campaigns. EPSS data unavailable, but the combination of network exposure, authentication bypass, and public exploit warrants immediate remediation priority for organizations using this synchronization tool.
Command Injection
-
CVE-2026-7061
MEDIUM
CVSS 5.5
OS command injection in Toowiredd chatgpt-mcp-server up to version 0.1.0 allows remote unauthenticated attackers to execute arbitrary system commands through the Docker service component. The vulnerability exists in src/services/docker.service.ts within the MCP/HTTP interface and has publicly available exploit code. The vendor has been notified but has not yet released a patch.
Docker
Command Injection
-
CVE-2026-7060
MEDIUM
CVSS 5.5
SQL injection in Yu Picture's PageRequest handler allows remote unauthenticated attackers to manipulate database queries via the sortField parameter in PictureServiceImpl.java. The vulnerability exists in MyBatis-Plus integration code at commit a053632c41340152bf75b66b3c543d129123d8ec. Publicly available exploit code exists (GitHub issue #4) with EPSS not yet calculated. Vendor patch available via pull request #3 but remains unmerged, leaving deployed instances vulnerable. CVSS 7.3 reflects network-accessible, low-complexity exploitation with no authentication required, enabling partial confidentiality, integrity, and availability compromise.
Java
SQLi
-
CVE-2026-7059
MEDIUM
CVSS 5.5
Path traversal in MiroFish up to version 0.1.2 allows remote unauthenticated attackers to read arbitrary files via manipulation of the Platform query parameter in the get_simulation_posts function. The vulnerability affects the backend simulation API endpoint and has publicly available exploit code, though exploitation is limited to information disclosure rather than modification or availability impact.
Path Traversal
-
CVE-2026-7058
MEDIUM
CVSS 5.5
Remote command injection in MiroFish versions up to 0.1.2 allows unauthenticated attackers to execute arbitrary system commands through the SimulationIPCClient.send_command function in the inter-process communication module. The vulnerability is actively exploitable via network access with low complexity, requiring no user interaction or authentication. A public proof-of-concept exploit has been disclosed (GitHub issue #488), and EPSS data shows moderate exploitation probability. The vendor (666ghj) has been notified via issue report but has not responded or released a patch, leaving all MiroFish installations vulnerable to remote compromise.
Command Injection
-
CVE-2026-7045
MEDIUM
CVSS 5.3
SpEL expression injection in baomidou dynamic-datasource 2.5.0 allows authenticated remote attackers to execute arbitrary code via the DsSpelExpressionProcessor component. The vulnerability stems from unsafe evaluation of Spring Expression Language (SpEL) in datasource routing logic, enabling attackers with application access to inject malicious expressions that execute with application privileges. No public exploit code or active exploitation has been identified at time of analysis, though upstream fix is available.
Java
Code Injection
-
CVE-2026-7042
MEDIUM
CVSS 5.5
Missing authentication in MiroFish REST API allows remote attackers to bypass security controls and access protected endpoints without credentials. The vulnerability affects MiroFish versions up to 0.1.2 in the create_app function within backend/app/__init__.py. A publicly available exploit demonstrates the attack (GitHub issue #487), and the vulnerability is trivially exploitable with CVSS complexity rated Low and no authentication required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N). The vendor has not responded to responsible disclosure attempts, leaving users without an official patch. With CVSS 7.3 (High) and confirmed public POC, this represents an immediate risk to deployments exposing the REST API to untrusted networks.
Authentication Bypass
-
CVE-2026-7036
MEDIUM
CVSS 5.5
Path traversal in Tenda i9 router firmware version 1.0.0.5(2204) allows remote unauthenticated attackers to access arbitrary files, modify system configurations, and potentially disrupt device operation via the R7WebsSecurityHandlerfunction in the HTTP Handler component. Publicly available exploit code exists on GitHub (Litengzheng/vuldb_new), enabling straightforward exploitation with EPSS-assessed risk. The vulnerability permits confidentiality, integrity, and availability impacts with low attack complexity and no required user interaction, making it a realistic target for automated scanning and exploitation.
Path Traversal
Tenda
-
CVE-2026-7026
MEDIUM
CVSS 5.4
Stored or reflected cross-site scripting (XSS) in D-Link DGS-3420 firmware 1.50.018 allows authenticated remote attackers to inject malicious scripts via the System Name parameter on the System Information Settings Page. The vulnerability requires high-level administrative privileges and user interaction (UI:R), limiting exploitation to scenarios where an authenticated admin visits a malicious page or clicks a crafted link. Publicly available exploit code exists; CVSS 4.5 reflects the requirement for admin access and user interaction, though the impact is information disclosure or session hijacking potential through XSS.
XSS
D-Link
-
CVE-2026-7025
MEDIUM
CVSS 5.5
Server-side request forgery in Typecho's Pingback Service (versions up to 1.3.0) allows remote unauthenticated attackers to force the server to make arbitrary HTTP requests to internal or external resources. The vulnerability resides in Service::sendPingHandle() function where attacker-controlled X-Pingback and link parameters bypass validation. Public exploit code exists (documented in researcher blog post), enabling immediate weaponization. CVSS 7.3 reflects network-accessible attack with no authentication required. EPSS data not available, but public POC significantly elevates real-world risk. Vendor non-responsive to early disclosure.
PHP
SSRF
-
CVE-2026-7022
MEDIUM
CVSS 5.5
Improper authentication in SmythOS sre up to version 0.0.15 allows remote attackers to bypass authentication via manipulation of HTTP headers X-DEBUG-RUN and X-DEBUG-INJ in the AgentRuntime component, enabling unauthorized access with low confidentiality, integrity, and availability impact. Publicly available exploit code exists and the vendor has not responded to early disclosure notification.
Authentication Bypass
-
CVE-2026-7044
LOW
CVSS 2.1
Unrestricted file upload in GreenCMS up to version 2.3 allows authenticated remote attackers to upload arbitrary files via the themeadd function in the custom admin module, potentially enabling remote code execution or content manipulation. Publicly available exploit code exists and the vulnerability affects only end-of-life versions of the product.
PHP
File Upload
-
CVE-2026-7043
LOW
CVSS 2.1
Unrestricted file upload in GreenCMS up to version 2.3 via the pluginAddLocal function in /index.php?m=admin&c=custom&a=pluginadd allows authenticated remote attackers to upload arbitrary files, leading to potential remote code execution. The vulnerability affects only unsupported legacy versions. Publicly available exploit code exists, and the CVSS vector confirms network-accessible exploitation requiring low privileges.
PHP
File Upload
-
CVE-2026-7041
LOW
CVSS 2.9
Information disclosure in MiroFish up to version 0.1.2 allows remote attackers to leak sensitive data through manipulation of the SECRET argument in the Werkzeug Debugger PIN Handler at the /console endpoint. The vulnerability requires high attack complexity and has a low CVSS score (3.7) indicating limited confidentiality impact, but publicly available exploit code exists and the vendor has not responded to early notification.
Information Disclosure
-
CVE-2026-7038
LOW
CVSS 1.9
Insufficient credential protection in tufantunc ssh-mcp up to version 1.5.0 allows local authenticated users to disclose sensitive credentials through the Command Line Handler component. The vulnerability affects src/index.ts and has a publicly available exploit, though the low CVSS score of 1.9 reflects limited scope (confidentiality impact only, no integrity or availability effects) and requirement for local authenticated access.
Information Disclosure
-
CVE-2026-7028
LOW
CVSS 2.0
SQL injection in CodeAstro Online Job Portal 1.0 allows authenticated admin users to manipulate the ID parameter in /admin/jobs-admins/delete-jobs.php, enabling remote SQL injection attacks against the database. The vulnerability requires high-level admin privileges (PR:H) but has a publicly available exploit and low attack complexity (AC:L), permitting remote attackers with admin access to read, modify, or delete sensitive database records. Exploitation is confirmed by public proof-of-concept code.
PHP
SQLi
-
CVE-2026-7027
LOW
CVSS 1.9
Cross-site scripting (XSS) in D-Link DSL-2740R EU_01.15 allows authenticated remote attackers with high privileges to inject malicious scripts via the Wireless Network Name parameter in the Wireless Setup Section, affecting data integrity when a user views the compromised configuration. The vulnerability requires user interaction and administrative credentials, limiting its real-world exploitation scope despite publicly available exploit code.
XSS
D-Link
-
CVE-2026-7024
LOW
CVSS 2.1
Path traversal in rawchen sims DeleteFileServlet endpoint allows authenticated remote attackers to manipulate the filename parameter and access arbitrary files on the system, potentially leading to information disclosure or file modification. The vulnerability affects all versions up to commit 004f783b1db5ecdfad81c8fdc3b34171211112de, with publicly available exploit code and no vendor response to early disclosure notification.
Java
Path Traversal
-
CVE-2026-7023
LOW
CVSS 2.1
SQL injection in ByteDance coze-studio up to version 0.5.1 allows authenticated remote attackers to manipulate the ExecuteSQL function in the databaseTool component, enabling arbitrary SQL query execution with limited confidentiality and integrity impact. The vulnerability has a publicly available exploit and affects the backend database service layer; the vendor has not responded to disclosure efforts.
SQLi
-
CVE-2026-7021
LOW
CVSS 2.0
SmythOS sre versions up to 0.0.15 expose sensitive information through improper validation of the baseURL argument in the Connector Service's LLM utilities component. An authenticated remote attacker with user interaction can manipulate the baseURL parameter to disclose confidential data. Public exploit code exists, and the vendor has not responded to early disclosure notifications.
Information Disclosure
-
CVE-2026-7020
LOW
CVSS 2.9
Path traversal vulnerability in Ollama up to version 0.20.2 affects the digestToPath function in the Tensor Model Transfer Handler, allowing remote attackers with high complexity to manipulate digest arguments and traverse the filesystem. Public exploit code exists, though the vendor has not acknowledged disclosure attempts. CVSS 6.3 reflects low confidentiality, integrity, and availability impact limited by high attack complexity and no scope change.
Path Traversal
-
CVE-2026-7018
LOW
CVSS 2.9
Datavane Datavines up to commit 13607645e14a4982468cfdbcf75c85cde63bae71 uses a hard-coded cryptographic key in the JWT Token Handler component, allowing remote attackers to manipulate the tokenSecret parameter and bypass authentication or forge tokens. The vulnerability requires high attack complexity but has publicly available exploit code; the vendor has been informed via pull request but has not yet merged the fix.
Java
Information Disclosure
-
CVE-2026-7016
LOW
CVSS 1.9
Cross-site scripting (XSS) in MaxSite CMS up to version 109.3 allows authenticated high-privilege users to inject malicious scripts via the ushki Plugin's f_ushka_new or f_ushk parameters. The vulnerability requires user interaction to trigger, but publicly available exploit code exists. Vendor classified this as self-XSS and fixed the root cause (missing htmlspecialchars() filtering) in version 109.4.
XSS
-
CVE-2026-7015
LOW
CVSS 1.9
Cross-site scripting (XSS) in MaxSite CMS Guestbook Plugin up to version 109.3 allows authenticated high-privilege users to inject malicious scripts via the f_text, f_slug, f_limit, or f_email parameters due to missing htmlspecialchars() output filtering. The vulnerability requires high-privilege authentication and user interaction (UI:P), limiting it to trusted administrators, but publicly available exploit code exists. Upgrading to version 109.4 resolves the issue by implementing proper output encoding.
XSS
-
CVE-2026-7014
LOW
CVSS 1.9
Cross-site scripting (XSS) in MaxSite CMS up to version 109.3 affects the down_count plugin, where unsanitized input in the f_file and f_prefix parameters allows authenticated high-privilege users to inject malicious scripts via remote network access with user interaction. The vendor classifies this as self-XSS due to high privilege requirements (PR:H) and user interaction (UI:P), but the lack of output encoding via htmlspecialchars() represents a secure coding violation. Publicly available exploit code exists, and a patch is available in version 109.4.
XSS
-
CVE-2026-7013
LOW
CVSS 1.9
Cross-site scripting (XSS) in MaxSite CMS mail_send plugin up to version 109.3 allows authenticated high-privilege users to inject malicious scripts via the f_subject, f_files, or f_from parameters, resulting in stored XSS that can affect other users. The vulnerability stems from missing input sanitization via htmlspecialchars() and is classified by the vendor as self-XSS. Publicly available exploit code exists, and a patch is available in version 109.4.
XSS
-
CVE-2026-7012
LOW
CVSS 1.9
Cross-site scripting vulnerability in MaxSite CMS Redirect Plugin up to version 109.3 allows authenticated high-privilege users to inject malicious scripts via the f_all or f_all404 parameters due to missing output encoding with htmlspecialchars(). The vulnerability requires high-privilege authentication and user interaction to execute, resulting in low impact (integrity only); however, publicly available exploit code exists and the vendor has classified this as a self-XSS violation of secure coding standards. Upgrade to version 109.4 or later to remediate.
XSS
-
CVE-2026-7011
LOW
CVSS 1.9
Cross-site scripting (XSS) in MaxSite CMS up to version 109.3 allows authenticated administrators to inject malicious scripts via the f_logging_file parameter in the Antispam Plugin admin interface, leading to stored XSS with user interaction required. The vulnerability affects the /admin/plugin_antispam endpoint and results from insufficient output encoding. Vendor-released patch version 109.4 addresses the issue by implementing htmlspecialchars() filtering; publicly available exploit code exists.
XSS