CVE-2012-10032 HIGH

CVE-2012-10032: Maxthon3 about:history XCS Trusted Zone Code Execution

Vendor Maxthon International Ltd.
Product Maxthon3 Browser
Weakness CWE-79 · XSS
Published August 5, 2025
Last update May 25, 2026
View on NVD All CVEs

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Maxthon3 version 3.2.2 build 1000 and prior are vulnerable to cross context scripting (XCS) via the about:history page. The browser’s trusted zone improperly handles injected script content, allowing attackers to execute arbitrary JavaScript in a privileged context. This flaw enables modification of browser configuration and execution of arbitrary code through Maxthon’s exposed DOM APIs, including maxthon.program.Program.launch() and maxthon.io.writeDataURL(). Exploitation requires user interaction, typically by visiting a malicious webpage that triggers the injection.

Key dates

02Disclosure timeline

August 5, 2025 CVE published
May 25, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-4169 Tecnick TCExam XML Export tce_xml_users.php F_xml_export_users cross site scripting CVE-2025-32590 WordPress Web2application Plugin <= 6.1 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2026-48999 Stored Cross-Site Scripting (XSS) vulnerability in ZTE ZXUniPOS NDS-LTE product CVE-2026-8897 Shortcode Buddy <= 0.1.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes CVE-2024-50522 WordPress WeChat Subscribers Lite plugin <= 1.6.6 - Reflected Cross Site Scripting (XSS) vulnerability