CVE-2012-10032
Maxthon3 about:history XCS Trusted Zone Code Execution
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Maxthon3 versions prior to 3.3 are vulnerable to cross context scripting (XCS) via the about:history page. The browser’s trusted zone improperly handles injected script content, allowing attackers to execute arbitrary JavaScript in a privileged context. This flaw enables modification of browser configuration and execution of arbitrary code through Maxthon’s exposed DOM APIs, including maxthon.program.Program.launch() and maxthon.io.writeDataURL(). Exploitation requires user interaction, typically by visiting a malicious webpage that triggers the injection.
| CWE | CWE-79 CWE-94 |
| Vendor | maxthon international ltd. |
| Product | maxthon3 browser |
| Published | Aug 5, 2025 |
| Last Updated | Apr 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for maxthon international ltd. maxthon3 browser
Be the first to know when new unknown vulnerabilities affecting maxthon international ltd. maxthon3 browser are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Maxthon International Ltd. / Maxthon3 Browser
3.1.7 build 600 ≤ 3.2.2 build 1000
References
raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/browser/maxthon_history_xcs.rb exploit-db.com: https://www.exploit-db.com/exploits/23225 blog.malerisch.net: http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html maxthon.com: https://www.maxthon.com/ fortiguard.com: https://www.fortiguard.com/encyclopedia/ips/34203 vulncheck.com: https://www.vulncheck.com/advisories/maxthon3-xcs-trusted-zone-code-exec
Credits
Roberto Suggi Liverani