Is there a public PoC exploit available for EUVD-2026-25690?

Yes, a public proof-of-concept exploit is available for EUVD-2026-25690. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for EUVD-2026-25690?

Yes, a patch is available for EUVD-2026-25690. Update the affected software to the latest version immediately.

MaxSite CMS EUVD-2026-25690

Q: What is the CVSS score of EUVD-2026-25690?

EUVD-2026-25690 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-7014 LOW

Cross-site Scripting (XSS) (CWE-79)

2026-04-26 VulDB

XSS Cms

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:12 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:12 NVD

4.8 (MEDIUM) 1.9 (LOW)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

Analysis Generated

Apr 26, 2026 - 03:30 vuln.today

Severity Changed

Apr 26, 2026 - 03:22 NVD

LOW MEDIUM

CVSS changed

Apr 26, 2026 - 03:22 NVD

2.4 (LOW) 4.8 (MEDIUM)

EUVD ID Assigned

Apr 26, 2026 - 03:00 euvd

EUVD-2026-25690

Analysis Generated

Apr 26, 2026 - 03:00 vuln.today

Patch released

Apr 26, 2026 - 03:00 nvd

Patch available

CVE Published

Apr 26, 2026 - 02:30 nvd

LOW 1.9

DescriptionCVE.org

A flaw has been found in MaxSite CMS up to 109.3. This vulnerability affects unknown code of the component down_count Plugin. This manipulation of the argument f_file/f_prefix causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. Upgrading to version 109.4 is able to resolve this issue. Patch name: 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. The affected component should be upgraded. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via htmlspecialchars() has already been fixed in the latest patch to prevent incorrect data display."

AnalysisAI

Cross-site scripting (XSS) in MaxSite CMS up to version 109.3 affects the down_count plugin, where unsanitized input in the f_file and f_prefix parameters allows authenticated high-privilege users to inject malicious scripts via remote network access with user interaction. The vendor classifies this as self-XSS due to high privilege requirements (PR:H) and user interaction (UI:P), but the lack of output encoding via htmlspecialchars() represents a secure coding violation. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain high-privilege CMS account

Delivery

Craft malicious URL with script in f_file parameter

Exploit

Trick administrator into viewing poisoned plugin output

Execution

JavaScript executes in admin browser

Impact

Steal session cookie or perform unauthorized CMS action