CVE-2026-7429

Name of the Vulnerable Software and Affected Versions SSCMS version 7.4.0

Description A reflected cross-site scripting issue exists in the STL processing endpoint. Attackers can execute arbitrary JavaScript by crafting malicious STL template payloads that are decrypted and returned without proper sanitization. Specifically, improper output encoding in the "/api/stl/actions/dynamic" endpoint allows the injection of executable JavaScript into JSON responses, which can lead to session hijacking, phishing attacks, and unauthorized actions performed on behalf of users.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.