Is there a public PoC exploit available for EUVD-2026-25689?

Yes, a public proof-of-concept exploit is available for EUVD-2026-25689. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for EUVD-2026-25689?

Yes, a patch is available for EUVD-2026-25689. Update the affected software to the latest version immediately.

MaxSite CMS EUVD-2026-25689

Q: What is the CVSS score of EUVD-2026-25689?

EUVD-2026-25689 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-7013 LOW

Cross-site Scripting (XSS) (CWE-79)

2026-04-26 VulDB

XSS Cms

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:12 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:12 NVD

4.8 (MEDIUM) 1.9 (LOW)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

Analysis Generated

Apr 26, 2026 - 03:30 vuln.today

Severity Changed

Apr 26, 2026 - 03:22 NVD

LOW MEDIUM

CVSS changed

Apr 26, 2026 - 03:22 NVD

2.4 (LOW) 4.8 (MEDIUM)

EUVD ID Assigned

Apr 26, 2026 - 03:00 euvd

EUVD-2026-25689

Analysis Generated

Apr 26, 2026 - 03:00 vuln.today

Patch released

Apr 26, 2026 - 03:00 nvd

Patch available

CVE Published

Apr 26, 2026 - 02:00 nvd

LOW 1.9

DescriptionCVE.org

A security vulnerability has been detected in MaxSite CMS up to 109.3. Affected by this issue is some unknown functionality of the component mail_send Plugin. The manipulation of the argument f_subject/f_files/f_from leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 109.4 can resolve this issue. The identifier of the patch is 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. It is advisable to upgrade the affected component. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via htmlspecialchars() has already been fixed in the latest patch to prevent incorrect data display."

AnalysisAI

Cross-site scripting (XSS) in MaxSite CMS mail_send plugin up to version 109.3 allows authenticated high-privilege users to inject malicious scripts via the f_subject, f_files, or f_from parameters, resulting in stored XSS that can affect other users. The vulnerability stems from missing input sanitization via htmlspecialchars() and is classified by the vendor as self-XSS. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Authenticate as high-privilege user

Delivery

Access mail_send plugin form

Exploit

Inject XSS payload in f_subject parameter

Install

Submit malicious email

Payload stored without sanitization

Execute

Victim views email submission

Impact

JavaScript executes in victim browser

Step 8

Session hijacking or malicious action performed