EUVD-2026-25691Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
10DescriptionCVE.org
A vulnerability has been found in MaxSite CMS up to 109.3. This issue affects some unknown processing of the component Guestbook Plugin. Such manipulation of the argument f_text/f_slug/f_limit/f_email leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 109.4 is capable of addressing this issue. The name of the patch is 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. It is suggested to upgrade the affected component. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via htmlspecialchars() has already been fixed in the latest patch to prevent incorrect data display."
AnalysisAI
Cross-site scripting (XSS) in MaxSite CMS Guestbook Plugin up to version 109.3 allows authenticated high-privilege users to inject malicious scripts via the f_text, f_slug, f_limit, or f_email parameters due to missing htmlspecialchars() output filtering. The vulnerability requires high-privilege authentication and user interaction (UI:P), limiting it to trusted administrators, but publicly available exploit code exists. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following: (1) high-privilege administrator or guestbook plugin manager account credentials on the MaxSite CMS installation (PR:H per CVSS vector), (2) ability to access the Guestbook Plugin submission/management interface (AV:N permits remote access, but access control is enforced), (3) successful submission of a guestbook entry with XSS payload via f_text, f_slug, f_limit, or f_email parameters, and (4) a second user (or the same user via different session/browser) visiting the guestbook page to trigger script execution (UI:P indicates user interaction on the victim side). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 4.8 with PR:H and UI:P signals moderate but constrained risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious or compromised high-privilege administrator (with guestbook management permissions) crafts a POST request to the Guestbook Plugin with f_text='<script>alert(1)</script>' or similar payload. Upon submission and when the guestbook page is viewed by another user, the injected script executes in their browser context, potentially stealing session cookies or performing actions on their behalf. … |
| Remediation | Upgrade MaxSite CMS to version 109.4 or later, which includes the security patch commit 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7 implementing htmlspecialchars() output encoding on the affected parameters (f_text, f_slug, f_limit, f_email) in the Guestbook Plugin. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today