Vulnerability Description
SSCMS v7.4.0 contains a reflected cross-site scripting vulnerability in the STL processing endpoint that allows attackers to execute arbitrary JavaScript by crafting malicious STL template payloads that are decrypted and returned without proper sanitization. Attackers can exploit improper output encoding in the /api/stl/actions/dynamic endpoint to inject executable JavaScript into JSON responses, leading to session hijacking, phishing attacks, and unauthorized actions performed on behalf of users.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/siteserver/cms
- https://github.com/siteserver/cms/issues/3892
- https://www.vulncheck.com/advisories/sscms-reflected-cross-site-scripting-via-st
- https://github.com/siteserver/cms/issues/3892
FAQ
What is CVE-2026-7429?
CVE-2026-7429 is a vulnerability with a CVSS score of 4.6 (MEDIUM). SSCMS v7.4.0 contains a reflected cross-site scripting vulnerability in the STL processing endpoint that allows attackers to execute arbitrary JavaScript by crafting malicious STL template payloads th...
How severe is CVE-2026-7429?
CVE-2026-7429 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-7429?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.