CVE-2026-7013

Name of the Vulnerable Software and Affected Versions MaxSite CMS versions prior to 109.4

Description A cross-site scripting issue exists in the mail send plugin. Remote attackers can initiate an attack by manipulating the f subject, f files, or f from arguments. This occurs due to a lack of filtering via the htmlspecialchars() function, which is used to convert special characters to HTML entities to prevent the browser from interpreting them as code.

Recommendations Upgrade to version 109.4.