CVE-2026-7013
Received Received - Intake
Cross-Site Scripting in MaxSite CMS mail_send Plugin

Publication date: 2026-04-26

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in MaxSite CMS up to 109.3. Affected by this issue is some unknown functionality of the component mail_send Plugin. The manipulation of the argument f_subject/f_files/f_from leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 109.4 can resolve this issue. The identifier of the patch is 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. It is advisable to upgrade the affected component. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-26
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-7013
EUVD
EUVD-2026-25689
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
maxsite maxsite_cms to 109.4 (exc)
maxsite mail_send_plugin to 109.4 (exc)
maxsite maxsite_cms 109.4
maxsite mail_send_plugin 109.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects MaxSite CMS up to version 109.3, specifically in the mail_send Plugin component. It involves improper handling of certain input arguments (f_subject, f_files, f_from) that can be manipulated to perform a cross-site scripting (XSS) attack. This means an attacker can inject malicious scripts remotely through these inputs.

The issue arises because the inputs were not properly sanitized using functions like htmlspecialchars(), allowing unsafe data to be rendered in HTML contexts. The vulnerability is classified as a "Self-XSS" by the vendor, but it still violates secure coding standards.

Upgrading to MaxSite CMS version 109.4 resolves this issue by applying proper input sanitization to prevent incorrect data display and mitigate XSS attacks.

Impact Analysis

This vulnerability can allow an attacker to execute malicious scripts in the context of the affected website by exploiting the mail_send Plugin inputs. Such cross-site scripting attacks can lead to unauthorized actions, session hijacking, or the injection of malicious content that affects users interacting with the site.

Since the attack can be initiated remotely, it poses a risk to the security and integrity of the website and its users. However, the CVSS scores indicate a relatively low severity (BaseScore 1.9 to 3.3), suggesting limited impact under certain conditions, such as requiring high privileges or user interaction.

Upgrading to version 109.4 is recommended to mitigate these risks.

Detection Guidance

This vulnerability involves cross-site scripting (XSS) through manipulation of the arguments f_subject, f_files, or f_from in the mail_send plugin of MaxSite CMS up to version 109.3.

To detect this vulnerability on your system, you can monitor HTTP requests targeting the mail_send plugin for suspicious input in these parameters that may contain HTML or JavaScript code.

For example, you can use network monitoring tools or web server logs to search for requests containing suspicious payloads in these parameters.

A simple command to search web server logs (e.g., Apache or Nginx) for potential XSS attempts might be:

  • grep -iE 'f_subject=|f_files=|f_from=' /var/log/apache2/access.log | grep -i '<script\|javascript:'

Alternatively, using network packet capture tools like tcpdump or Wireshark to filter HTTP traffic for these parameters may help identify exploit attempts.

Mitigation Strategies

The primary mitigation step is to upgrade MaxSite CMS and the mail_send plugin to version 109.4 or later, where this vulnerability has been fixed.

The fix involves applying the htmlspecialchars() function to user inputs in the mail_send plugin to prevent cross-site scripting attacks.

If immediate upgrade is not possible, consider implementing input validation or filtering on the affected parameters (f_subject, f_files, f_from) to block or sanitize potentially malicious input.

Additionally, monitor your system for suspicious activity related to these parameters and restrict access to the mail_send plugin to trusted users where feasible.

Compliance Impact

The vulnerability in MaxSite CMS involves a cross-site scripting (XSS) issue due to improper input sanitization in the mail_send plugin. While the vendor classifies it as a "Self-XSS" and has patched it by applying htmlspecialchars() to user inputs, the description does not explicitly mention any direct impact on compliance with common standards and regulations such as GDPR or HIPAA.

However, XSS vulnerabilities can potentially lead to unauthorized access or manipulation of user data, which may indirectly affect compliance with data protection regulations that require secure handling of personal information. Since the vulnerability allows remote exploitation and involves user input manipulation, it could pose risks related to data integrity and confidentiality if exploited.

Upgrading to version 109.4 resolves the issue by enforcing secure coding standards, which aligns with best practices for maintaining compliance with security requirements in various regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7013. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart