CVE-2026-7016
Received Received - Intake
Cross-Site Scripting in MaxSite CMS ushki Plugin

Publication date: 2026-04-26

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in MaxSite CMS up to 109.3. Impacted is an unknown function of the component ushki Plugin. Performing a manipulation of the argument f_ushka_new/f_ushk results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. Upgrading to version 109.4 is recommended to address this issue. The patch is named 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. Upgrading the affected component is recommended. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-26
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7016
EUVD
EUVD-2026-25692
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
maxsite maxsite_cms to 109.4 (exc)
maxsite maxsite_cms 109.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in MaxSite CMS up to version 109.3 within the ushki Plugin component. It involves a cross-site scripting (XSS) issue caused by improper handling of the arguments f_ushka_new/f_ushk. An attacker can manipulate these arguments to inject malicious scripts that execute in the context of a user's browser. The vulnerability can be exploited remotely.

The vendor classifies this as a "Self-XSS" issue and has addressed it by applying proper input filtering using the htmlspecialchars() function to prevent incorrect data display and script injection.

Impact Analysis

This cross-site scripting vulnerability can allow an attacker to execute malicious scripts in the context of a user's browser when interacting with the affected MaxSite CMS component. This could lead to unauthorized actions performed on behalf of the user, theft of session cookies, or other malicious activities that compromise user security.

Since the exploit is publicly available and can be executed remotely, it increases the risk of attacks if the system is not updated to the patched version 109.4.

Detection Guidance

This vulnerability involves cross-site scripting (XSS) through manipulation of the argument f_ushka_new/f_ushk in the ushki Plugin of MaxSite CMS up to version 109.3.

Detection can involve monitoring HTTP requests to the affected CMS for suspicious or malicious payloads in these parameters that could trigger XSS.

Specific commands are not provided in the available resources, but typical detection methods include using web application scanners or manual inspection of HTTP traffic for unusual script injections in the f_ushka_new or f_ushk parameters.

Mitigation Strategies

The recommended immediate mitigation is to upgrade MaxSite CMS to version 109.4, which includes a patch that applies proper input sanitization using the htmlspecialchars() function to prevent XSS.

This patch addresses the vulnerability by filtering user input in the affected plugins and admin interfaces, ensuring that malicious scripts cannot be injected.

If upgrading immediately is not possible, consider implementing input validation or filtering on the affected parameters (f_ushka_new/f_ushk) to block or sanitize potentially malicious input.

Compliance Impact

The vulnerability in MaxSite CMS up to version 109.3 involves a cross-site scripting (XSS) issue due to improper input sanitization in the ushki Plugin. Such vulnerabilities can lead to unauthorized script execution in users' browsers, potentially exposing user data or session information.

While the provided context does not explicitly mention compliance with standards like GDPR or HIPAA, XSS vulnerabilities generally pose risks to data integrity and confidentiality, which are critical aspects of these regulations. Failure to address such vulnerabilities could lead to non-compliance with secure coding and data protection requirements mandated by these standards.

The vendor has classified the issue as a violation of secure coding standards and has implemented a patch (version 109.4) that applies proper input filtering using htmlspecialchars() to prevent incorrect data display and mitigate the XSS risk.

Therefore, addressing this vulnerability by upgrading to the patched version helps maintain compliance with secure coding practices and reduces the risk of data breaches that could impact compliance with regulations like GDPR and HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7016. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart