Reflected Cross-Site Scripting Vulnerability in SSCMS by SiteServer
CVE-2026-7429

2.1LOW

Key Information:

Vendor: Siteserver
Status: Sscms
Vendor: CVE Published:; 30 April 2026

What is CVE-2026-7429?

The SSCMS product version 7.4.0 has a reflected cross-site scripting vulnerability that affects the STL processing endpoint. This security flaw allows attackers to execute arbitrary JavaScript by sending specially crafted malicious STL template payloads. Due to improper output encoding in the /api/stl/actions/dynamic endpoint, these payloads can be decrypted and returned without sufficient sanitization. Attackers exploit this weakness to inject executable JavaScript into JSON responses, which could lead to serious security issues, including session hijacking, phishing attacks, and unauthorized actions carried out on behalf of users.

Affected Version(s)

SSCMS 7.4.0

References

https://github.com/siteserver/cms/issues/3892

issue-tracking

https://github.com/siteserver/cms

product

https://www.vulncheck.com/advisories/sscms-reflected-cros...

third-party-advisory

CVSS V4

Score:

2.1

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 30, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

hss94531 (https://github.com/hss94531)

Beatriz Fresno Naumova

CVE-2026-7429 Data

JSON