CVE-2026-7012

Description

A vulnerability was detected in MaxSite CMS up to 109.3. This affects an unknown part of the component Redirect Plugin. The manipulation of the argument f_all/f_all404 results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used. Upgrading to version 109.4 is able to mitigate this issue. The patch is identified as 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. You should upgrade the affected component. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display."

CVSS v3.1 Score

2.4

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

EPSS — Exploit Prediction

0.0001

Probability of exploitation

0.02%

Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-79 Cross-site Scripting (XSS)

CWE-94 CWE-94

References

Other References

https://github.com/maxsite/cms/ https://github.com/maxsite/cms/commit/8a3946bd0a54bfb72a4d57179fcd253f2c550cd7 https://github.com/maxsite/cms/releases/tag/v109 https://github.com/wnaspy/CVE/blob/main/Report-%20Stored%20XSS-in-redirect-plugin-maxsite-cms.pdf.pdf https://vuldb.com/submit/796737 https://vuldb.com/vuln/359593 https://vuldb.com/vuln/359593/cti

Frequently Asked Questions

What is CVE-2026-7012? +

A vulnerability was detected in MaxSite CMS up to 109.3. This affects an unknown part of the component Redirect Plugin. The manipulation of the argument f_all/f_all404 results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used. Upgrading to version 109.4 is able to mitigate this issue. The patch is identified as 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. You should upgrade the affected component. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display." It has a CVSS v3.1 base score of 2.4 (LOW).

How severe is CVE-2026-7012? +

CVE-2026-7012 has a CVSS v3.1 score of 2.4 out of 10, rated LOW. This is a low-severity vulnerability with limited impact. The EPSS score is 0.0001, placing it in the 0th percentile for exploitation probability.

How do I check if I'm vulnerable to CVE-2026-7012? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-40282

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows …

CVE-2026-3317

Reflected Cross-Site Scripting (XSS) vulnerability in Navigate Content Management System. The vulnerability is present in the '/blog' endpoint because user …

CVE-2025-10354

Cross-Site Scripting (XSS) vulnerability reflected in Semantic MediaWiki. This vulnerability allows an attacker to execute JavaScript code in the victim's …

CVE-2026-41456

Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers …

CVE-2026-40872

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover …

CVE-2026-40878

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface …