CVE-2026-37700 in MaxSite
Summary
by MITRE • 06/03/2026
Cross Site Scripting vulnerability in MaxSite CMS v.109.2 allows a remote attacker to obtain sensitive information via the Backend page file upload endpoint used by admin_page
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/04/2026
This cross site scripting vulnerability in MaxSite CMS version 109.2 represents a critical security flaw that enables remote attackers to execute malicious scripts within the context of administrator sessions. The vulnerability specifically affects the backend page file upload endpoint that is utilized by the admin_page functionality, creating an attack vector where malicious actors can inject javascript code into the system. The flaw stems from inadequate input validation and output encoding mechanisms within the file upload processing logic, allowing attackers to upload files containing malicious payloads that can be executed when administrators view the uploaded content. This vulnerability falls under the CWE-79 category for cross site scripting, which is classified as a persistent security weakness that enables attackers to inject client-side scripts into web applications. The attack surface is particularly concerning as it targets administrative interfaces where sensitive information and system controls are managed, potentially allowing for privilege escalation and unauthorized access to backend systems. According to ATT&CK framework, this vulnerability maps to T1059.007 for command and scripting interpreter and T1566.001 for valid accounts, as attackers can leverage the XSS to gain access to administrative sessions and potentially escalate privileges. The operational impact extends beyond simple information disclosure, as successful exploitation could lead to complete system compromise through session hijacking, data exfiltration, and unauthorized modifications to the CMS configuration. Attackers can craft malicious files with embedded javascript that executes when administrators interact with the uploaded content, potentially stealing session cookies or redirecting users to malicious sites. The vulnerability is particularly dangerous because it leverages the trust relationship between the administrator and the CMS backend, where legitimate administrative actions become vectors for malicious code execution. The file upload endpoint lacks proper sanitization of file names and content, allowing attackers to bypass security controls through crafted file extensions or embedded script tags. This weakness aligns with the broader category of insecure file handling practices that have been documented in numerous security assessments and contribute significantly to web application compromise scenarios. Organizations running this version of MaxSite CMS should immediately implement mitigations including input validation, output encoding, and access controls to prevent unauthorized file uploads, while also considering the implementation of web application firewalls to detect and block malicious upload attempts. The vulnerability demonstrates the critical importance of proper security testing and input validation in administrative interfaces, as these areas represent prime targets for attackers seeking to gain persistent access to sensitive systems.