CVE-2026-37700: MaxSite CMS 109.2 XSS Vulnerability in File Upload Endpoint
MaxSite CMS version 109.2 contains a cross-site scripting (XSS) vulnerability in its backend file upload feature that allows authenticated attackers to inject malicious scripts. When an administrator performs a file upload through the admin page endpoint, an attacker with login credentials could craft a request that executes JavaScript in the victim's browser, potentially exposing sensitive information displayed during the upload process.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-07-05
NVD description (verbatim)
Cross Site Scripting vulnerability in MaxSite CMS v.109.2 allows a remote attacker to obtain sensitive information via the Backend page file upload endpoint used by admin_page
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-37700 is a stored or reflected cross-site scripting vulnerability (CWE-79) affecting MaxSite CMS v.109.2. The vulnerability exists in the backend page file upload endpoint accessed via admin_page functionality. The attack vector is network-based with low attack complexity; exploitation requires valid login credentials (PR:L) and user interaction (UI:R). The scope is changed, meaning the vulnerability can affect resources beyond the vulnerable component. CVSS 3.1 score of 4.1 reflects confidentiality impact limited to information retrieval without modification or availability disruption.
Business impact
Organizations running MaxSite CMS 109.2 face moderate risk of data leakage through administrator workflows. Since the attack requires authenticated access and user interaction, the exposure is primarily to internal teams managing content. However, if an attacker obtains credentials for a lower-privileged account with upload permissions, they could exploit this during admin operations to extract sensitive data visible in the upload interface, such as API keys, session tokens, or configuration details. The impact is information disclosure rather than system compromise or service disruption.
Affected systems
MaxSite CMS version 109.2 is explicitly affected. Organizations should verify whether any deployed instances match this exact version. Check your MaxSite installation version in the admin panel or via the version file in the application root. Earlier and potentially later versions should be evaluated based on vendor guidance to determine if they contain the same vulnerable code path in the file upload endpoint.
Exploitability
Exploitability is moderate to low. The attack requires the attacker to already possess valid login credentials, which limits the threat to scenarios involving compromised admin accounts, insider threats, or phishing of authorized users. The UI:R requirement means the victim admin must actively perform a file upload action. There is no evidence of public exploit code or active exploitation in the wild (KEV status: not listed). The vulnerability requires specific conditions to trigger—an attacker cannot simply send a malicious request and guarantee information disclosure.
Remediation
Contact MaxSite CMS directly or check their official release notes to identify whether a patched version addressing CVE-2026-37700 has been released. Verify the patch version number through the vendor advisory before deploying. Interim controls include: (1) restrict file upload endpoint access to trusted IP ranges if applicable; (2) enforce strong authentication with multi-factor authentication for admin accounts to reduce credential compromise risk; (3) monitor upload activity and review logs for suspicious requests; (4) educate administrators to avoid uploading files from untrusted sources or following suspicious links during file uploads.
Patch guidance
Apply the vendor-provided patch for MaxSite CMS as soon as it becomes available. Verify the patch version against the official MaxSite security advisory to ensure you are implementing the correct update. Test the patch in a non-production environment first to confirm compatibility with your configuration and plugins. After patching, confirm the fix by checking the version number in the admin panel. If no patch has been released yet, consult the vendor's advisories regularly or consider upgrading to a newer major version if available.
Detection guidance
Monitor for XSS attack patterns in web server and application logs, specifically targeting the admin_page file upload endpoint. Look for: (1) POST/PUT requests to the upload endpoint containing script tags or JavaScript event handlers (e.g., onerror=, onclick=); (2) unusual file names or MIME types in upload requests; (3) authentication logs showing admin account logins followed immediately by unusual upload activity; (4) HTTP responses reflecting uploaded file names without proper encoding. Enable web application firewall (WAF) rules to detect and block common XSS payloads in upload parameters. Consider implementing Content Security Policy (CSP) headers to mitigate the impact of any injected scripts.
Why prioritize this
Although CVSS 4.1 is rated MEDIUM, this vulnerability should be prioritized moderately rather than deferred. It affects authentication-required endpoints, limiting casual exploitation, but administrators regularly interact with file uploads—making the UI:R requirement realistic in normal operations. The confidentiality impact, while limited to information retrieval, poses a genuine risk of sensitive data exposure within administrative functions. Organizations should patch this within their standard update cycle (30–60 days) unless they have mitigating controls in place.
Risk score, explained
CVSS 3.1 score of 4.1 reflects: Network attack surface (AV:N), low complexity to execute (AC:L), requirement for login (PR:L), and user interaction needed (UI:R). The changed scope (S:C) acknowledges that injected JavaScript can affect other resources or sessions. Confidentiality impact is assessed as low (C:L) because the vulnerability retrieves existing information rather than enabling wholesale data exfiltration. No integrity or availability impact is assigned (I:N/A:N), as the attacker cannot modify data or disrupt service through this vector alone. The result is a below-average severity score reflecting a real but contained threat.
Frequently asked questions
Does this vulnerability allow unauthenticated access or attacks?
No. CVE-2026-37700 requires valid login credentials (PR:L). An attacker must already have administrative or upload-enabled account access. This significantly limits the attack surface to insider threats, compromised accounts, or successful phishing of authorized users.
Is this vulnerability actively exploited or part of public exploit databases?
As of the last update, CVE-2026-37700 is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog and has no known public exploit code. However, organizations should not assume indefinite safety—monitor security feeds for new exploit disclosures and apply patches promptly once available.
What versions of MaxSite CMS are affected?
MaxSite CMS version 109.2 is confirmed affected. Consult the vendor's advisory to determine whether earlier versions (109.1, 109.0, etc.) or later versions are also vulnerable. The vulnerability is specific to the backend file upload endpoint, so verify your exact version before assuming safety.
Can this vulnerability be exploited through a file download or just uploads?
The vulnerability is associated with the file upload endpoint (Backend page file upload). It is not confirmed to affect download functionality. Restricting upload permissions and monitoring upload activity will reduce risk; focus remediation on the upload workflow.
This analysis is based on the official CVE record published on 2026-06-03 and modified through 2026-07-05. CVSS scores and severity ratings are provided by the National Vulnerability Database and reflect the vulnerability's technical characteristics, not real-world exploit prevalence or business context specific to your organization. No exploit code or weaponized proof-of-concept is provided in this report. Patch availability, vendor advisories, and version numbers must be verified directly with MaxSite CMS official resources. Organizations should conduct their own risk assessment based on deployment scope, network isolation, and compensating controls. This report is for informational purposes and does not constitute professional security advice or a guarantee of remediation effectiveness. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1