Skip to main content

MaxSite CMS EUVDEUVD-2026-34180

| CVE-2026-37700 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-03 cve@mitre.org GHSA-56f6-763p-wprp
4.1
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
4.1 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 05, 2026 - 03:19 vuln.today
CVSS changed
Jun 05, 2026 - 02:22 NVD
4.1 (MEDIUM)
CVE Published
Jun 03, 2026 - 20:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Cross Site Scripting vulnerability in MaxSite CMS v.109.2 allows a remote attacker to obtain sensitive information via the Backend page file upload endpoint used by admin_page

AnalysisAI

Stored or reflected Cross-Site Scripting in MaxSite CMS v.109.2 allows a remote attacker with low-privilege authenticated access to inject malicious scripts via the Backend page file upload endpoint (admin_page), which execute in the browsers of other users - including administrators - to exfiltrate sensitive information such as session tokens. The CVSS vector (S:C) confirms the attack crosses a security scope boundary, amplifying impact beyond the attacker's own session. A researcher-published proof-of-concept is publicly available on GitHub, though EPSS remains very low at 0.05% (17th percentile) and no active exploitation has been confirmed by CISA KEV.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) describes a failure to sanitize or encode attacker-controlled input before rendering it in an HTML response. In this case, the vulnerable surface is the file upload endpoint associated with the admin_page component of MaxSite CMS v.109.2 - a PHP-based content management system. Attacker-supplied data (likely a filename, file metadata, or file content) is reflected or stored without adequate output encoding, enabling injection of arbitrary JavaScript. The CVSS Scope:Changed rating indicates the injected script executes in a security context different from the upload context - classically, the attacker writes to the CMS backend and a privileged admin's browser executes the payload. No CPE strings were provided in the source intelligence; the affected product is identified solely by version string 109.2 from the CVE description.

RemediationAI

No vendor-released patch or fixed version has been identified from available data - the vendor advisory at http://maxsite.com does not link to a specific security bulletin in the provided references. Until a patch is released, the following compensating controls are recommended: restrict file upload permissions on the admin_page endpoint to the minimum necessary privilege tier, reducing attacker access; implement a strict Content Security Policy (CSP) header (e.g., default-src 'self') to prevent execution of injected scripts, noting this may break legitimate inline scripts in the CMS backend; sanitize and reject non-standard characters in uploaded filenames at the server layer; and enforce separate admin and contributor sessions with short expiry to limit session token exposure. Monitor the vendor site at http://maxsite.com and the researcher PoC at https://github.com/PureStream108/CVE/blob/main/MaxSite109.2/about_en.md for patch availability updates.

Share

EUVD-2026-34180 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy