CVE-2026-7429 LOW

CVE-2026-7429: SSCMS v7.4.0 Reflected Cross-Site Scripting via STL Processing

Vendor Siteserver

Product SSCMS

Weakness CWE-79 · XSS

Published April 30, 2026

Last update May 4, 2026

View on NVD All CVEs

CVSS base score

2.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

SSCMS v7.4.0 contains a reflected cross-site scripting vulnerability in the STL processing endpoint that allows attackers to execute arbitrary JavaScript by crafting malicious STL template payloads that are decrypted and returned without proper sanitization. Attackers can exploit improper output encoding in the /api/stl/actions/dynamic endpoint to inject executable JavaScript into JSON responses, leading to session hijacking, phishing attacks, and unauthorized actions performed on behalf of users.

Key dates

02Disclosure timeline

April 30, 2026 CVE published

May 4, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-7429 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2026-7429: SSCMS v7.4.0 Reflected Cross-Site Scripting via STL Processing

01Description

02Disclosure timeline

03References

04Related CVE