Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Cross Site Scripting vulnerability in MaxSite CMS v.109.2 allows a remote attacker to obtain sensitive information via the Backend page file upload endpoint used by admin_page
AnalysisAI
Stored or reflected Cross-Site Scripting in MaxSite CMS v.109.2 allows a remote attacker with low-privilege authenticated access to inject malicious scripts via the Backend page file upload endpoint (admin_page), which execute in the browsers of other users - including administrators - to exfiltrate sensitive information such as session tokens. The CVSS vector (S:C) confirms the attack crosses a security scope boundary, amplifying impact beyond the attacker's own session. A researcher-published proof-of-concept is publicly available on GitHub, though EPSS remains very low at 0.05% (17th percentile) and no active exploitation has been confirmed by CISA KEV.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) describes a failure to sanitize or encode attacker-controlled input before rendering it in an HTML response. In this case, the vulnerable surface is the file upload endpoint associated with the admin_page component of MaxSite CMS v.109.2 - a PHP-based content management system. Attacker-supplied data (likely a filename, file metadata, or file content) is reflected or stored without adequate output encoding, enabling injection of arbitrary JavaScript. The CVSS Scope:Changed rating indicates the injected script executes in a security context different from the upload context - classically, the attacker writes to the CMS backend and a privileged admin's browser executes the payload. No CPE strings were provided in the source intelligence; the affected product is identified solely by version string 109.2 from the CVE description.
RemediationAI
No vendor-released patch or fixed version has been identified from available data - the vendor advisory at http://maxsite.com does not link to a specific security bulletin in the provided references. Until a patch is released, the following compensating controls are recommended: restrict file upload permissions on the admin_page endpoint to the minimum necessary privilege tier, reducing attacker access; implement a strict Content Security Policy (CSP) header (e.g., default-src 'self') to prevent execution of injected scripts, noting this may break legitimate inline scripts in the CMS backend; sanitize and reject non-standard characters in uploaded filenames at the server layer; and enforce separate admin and contributor sessions with short expiry to limit session token exposure. Monitor the vendor site at http://maxsite.com and the researcher PoC at https://github.com/PureStream108/CVE/blob/main/MaxSite109.2/about_en.md for patch availability updates.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34180
GHSA-56f6-763p-wprp