CVE-2026-7011

Source
https://cve.org/CVERecord?id=CVE-2026-7011
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7011.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-7011
Published
2026-04-26T00:30:20.988Z
Modified
2026-07-15T01:49:00.205968528Z
Severity
  • 1.9 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
MaxSite CMS Antispam Plugin plugin_antispam cross site scripting
Details

A weakness has been identified in MaxSite CMS up to 109.3. Affected by this vulnerability is an unknown functionality of the file /admin/pluginantispam of the component Antispam Plugin. Executing a manipulation of the argument flogging_file can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 109.4 addresses this issue. This patch is called 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. Upgrading the affected component is advised. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via htmlspecialchars() has already been fixed in the latest patch to prevent incorrect data display."

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7011.json",
    "cwe_ids": [
        "CWE-79",
        "CWE-94"
    ],
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "109.0"
                },
                {
                    "last_affected": "109.0"
                },
                {
                    "introduced": "109.1"
                },
                {
                    "last_affected": "109.1"
                },
                {
                    "introduced": "109.2"
                },
                {
                    "last_affected": "109.2"
                },
                {
                    "introduced": "109.3"
                },
                {
                    "last_affected": "109.3"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "VulDB"
}
References

Affected packages

Git / github.com/maxsite/cms

Affected ranges

Type
GIT
Repo
https://github.com/maxsite/cms
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

v0.*
v0.87
v0.87.1
v0.88
v0.89
v0.90
v0.91
v0.92
v0.93
v0.94
v0.95
v0.96
Other
v100
v101
v102
v104
v106
v107
v108
v109
v97
v98
v99

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7011.json"