Max

14 exploits Active since Oct 2002
CVE-2026-7011 WRITEUP LOW WRITEUP
MaxSite CMS Antispam Plugin plugin_antispam cross site scripting
A weakness has been identified in MaxSite CMS up to 109.3. Affected by this vulnerability is an unknown functionality of the file /admin/plugin_antispam of the component Antispam Plugin. Executing a manipulation of the argument f_logging_file can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 109.4 addresses this issue. This patch is called 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. Upgrading the affected component is advised. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display."
CVSS 2.4
CVE-2026-7012 WRITEUP LOW WRITEUP
MaxSite CMS Redirect Plugin cross site scripting
A vulnerability was detected in MaxSite CMS up to 109.3. This affects an unknown part of the component Redirect Plugin. The manipulation of the argument f_all/f_all404 results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used. Upgrading to version 109.4 is able to mitigate this issue. The patch is identified as 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. You should upgrade the affected component. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display."
CVSS 2.4
CVE-2026-7013 WRITEUP LOW WRITEUP
MaxSite CMS mail_send Plugin cross site scripting
A security vulnerability has been detected in MaxSite CMS up to 109.3. Affected by this issue is some unknown functionality of the component mail_send Plugin. The manipulation of the argument f_subject/f_files/f_from leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 109.4 can resolve this issue. The identifier of the patch is 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. It is advisable to upgrade the affected component. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display."
CVSS 2.4
CVE-2026-7014 WRITEUP LOW WRITEUP
MaxSite CMS down_count Plugin cross site scripting
A flaw has been found in MaxSite CMS up to 109.3. This vulnerability affects unknown code of the component down_count Plugin. This manipulation of the argument f_file/f_prefix causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. Upgrading to version 109.4 is able to resolve this issue. Patch name: 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. The affected component should be upgraded. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display."
CVSS 2.4
CVE-2026-7015 WRITEUP LOW WRITEUP
MaxSite CMS Guestbook Plugin cross site scripting
A vulnerability has been found in MaxSite CMS up to 109.3. This issue affects some unknown processing of the component Guestbook Plugin. Such manipulation of the argument f_text/f_slug/f_limit/f_email leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 109.4 is capable of addressing this issue. The name of the patch is 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. It is suggested to upgrade the affected component. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display."
CVSS 2.4
CVE-2026-7016 WRITEUP LOW WRITEUP
MaxSite CMS ushki Plugin cross site scripting
A vulnerability was found in MaxSite CMS up to 109.3. Impacted is an unknown function of the component ushki Plugin. Performing a manipulation of the argument f_ushka_new/f_ushk results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. Upgrading to version 109.4 is recommended to address this issue. The patch is named 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. Upgrading the affected component is recommended. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display."
CVSS 2.4
CVE-2026-28395 WRITEUP MEDIUM WRITEUP
OpenClaw 2026.1.14-1 - Info Disclosure
OpenClaw version 2026.1.14-1 prior to 2026.2.12 contain an improper network binding vulnerability in the Chrome extension (must be installed and enabled) relay server that treats wildcard hosts as loopback addresses, allowing the relay HTTP/WS server to bind to all interfaces when a wildcard cdpUrl is configured. Remote attackers can access relay HTTP endpoints off-host to leak service presence and port information, or conduct denial-of-service and brute-force attacks against the relay token header.
CVSS 6.5
CVE-2021-35265 WRITEUP MEDIUM WRITEUP
MaxSite CMS <V106 - XSS
A reflected cross-site scripting (XSS) vulnerability in MaxSite CMS before V106 via product/page/* allows remote attackers to inject arbitrary web script to a page.
CVSS 6.1
CVE-2025-69874 WRITEUP CRITICAL WRITEUP
NPM Nanotar - Path Traversal
nanotar through 0.2.0 has a path traversal vulnerability in parseTar() and parseTarGzip() that allows remote attackers to write arbitrary files outside the intended extraction directory via a crafted tar archive containing path traversal sequence.
CVSS 9.8
CVE-2023-53948 EXPLOITDB CRITICAL python WORKING POC
Lilac-Reloaded for Nagios 2.0.8 - RCE
Lilac-Reloaded for Nagios 2.0.8 contains a remote code execution vulnerability in the autodiscovery feature that allows attackers to inject arbitrary commands. Attackers can exploit the lack of input filtering in the nmap_binary parameter to execute a reverse shell by sending a crafted POST request to the autodiscovery endpoint.
CVSS 9.8
CVE-2021-31166 METASPLOIT CRITICAL ruby WORKING POC
Windows IIS HTTP Protocol Stack DOS
HTTP Protocol Stack Remote Code Execution Vulnerability
CVSS 9.8
CVE-2003-1006 EXPLOITDB text WORKING POC
Apple Mac OS X - Buffer Overflow
Buffer overflow in cd9660.util in Apple Mac OS X 10.0 through 10.3.2 and Apple Mac OS X Server 10.0 through 10.3.2 may allow local users to execute arbitrary code via a long command line parameter.
CVE-2002-0900 EXPLOITDB text WORKING POC
MIT Pgp Public Key Server - Buffer Overflow
Buffer overflow in pks PGP public key web server before 0.9.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long search argument to the lookup capability.
CVE-2002-2348 EXPLOITDB text WORKING POC
Authoria - XSS
Cross-site scripting (XSS) vulnerability in athcgi.exe in Authoria HR allows remote attackers to inject arbitrary web script or HTML via the command parameter.