CVE-2026-7429

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

4.6 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N                                    

Vulnerability Description

SSCMS v7.4.0 contains a reflected cross-site scripting vulnerability in the STL processing endpoint that allows attackers to execute arbitrary JavaScript by crafting malicious STL template payloads that are decrypted and returned without proper sanitization. Attackers can exploit improper output encoding in the /api/stl/actions/dynamic endpoint to inject executable JavaScript into JSON responses, leading to session hijacking, phishing attacks, and unauthorized actions performed on behalf of users.

Vulnerability Details

Published Date

April 30, 2026

Last Modified

April 30, 2026

CWE ID

CWE-79

Source

NVD

External References

https://github.com/siteserver/cms
https://github.com/siteserver/cms/issues/3892
https://www.vulncheck.com/advisories/sscms-reflected-cross-site-scripting-via-stl-processing
https://github.com/siteserver/cms/issues/3892

CVE-2026-7429

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment