CVE-2026-7016
Cross-Site Scripting in MaxSite CMS ushki Plugin
Publication date: 2026-04-26
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| maxsite | maxsite_cms | to 109.4 (exc) |
| maxsite | maxsite_cms | 109.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in MaxSite CMS up to version 109.3 within the ushki Plugin component. It involves a cross-site scripting (XSS) issue caused by improper handling of the arguments f_ushka_new/f_ushk. An attacker can manipulate these arguments to inject malicious scripts that execute in the context of a user's browser. The vulnerability can be exploited remotely.
The vendor classifies this as a "Self-XSS" issue and has addressed it by applying proper input filtering using the htmlspecialchars() function to prevent incorrect data display and script injection.
How can this vulnerability impact me? :
This cross-site scripting vulnerability can allow an attacker to execute malicious scripts in the context of a user's browser when interacting with the affected MaxSite CMS component. This could lead to unauthorized actions performed on behalf of the user, theft of session cookies, or other malicious activities that compromise user security.
Since the exploit is publicly available and can be executed remotely, it increases the risk of attacks if the system is not updated to the patched version 109.4.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves cross-site scripting (XSS) through manipulation of the argument f_ushka_new/f_ushk in the ushki Plugin of MaxSite CMS up to version 109.3.
Detection can involve monitoring HTTP requests to the affected CMS for suspicious or malicious payloads in these parameters that could trigger XSS.
Specific commands are not provided in the available resources, but typical detection methods include using web application scanners or manual inspection of HTTP traffic for unusual script injections in the f_ushka_new or f_ushk parameters.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to upgrade MaxSite CMS to version 109.4, which includes a patch that applies proper input sanitization using the htmlspecialchars() function to prevent XSS.
This patch addresses the vulnerability by filtering user input in the affected plugins and admin interfaces, ensuring that malicious scripts cannot be injected.
If upgrading immediately is not possible, consider implementing input validation or filtering on the affected parameters (f_ushka_new/f_ushk) to block or sanitize potentially malicious input.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in MaxSite CMS up to version 109.3 involves a cross-site scripting (XSS) issue due to improper input sanitization in the ushki Plugin. Such vulnerabilities can lead to unauthorized script execution in users' browsers, potentially exposing user data or session information.
While the provided context does not explicitly mention compliance with standards like GDPR or HIPAA, XSS vulnerabilities generally pose risks to data integrity and confidentiality, which are critical aspects of these regulations. Failure to address such vulnerabilities could lead to non-compliance with secure coding and data protection requirements mandated by these standards.
The vendor has classified the issue as a violation of secure coding standards and has implemented a patch (version 109.4) that applies proper input filtering using htmlspecialchars() to prevent incorrect data display and mitigate the XSS risk.
Therefore, addressing this vulnerability by upgrading to the patched version helps maintain compliance with secure coding practices and reduces the risk of data breaches that could impact compliance with regulations like GDPR and HIPAA.