CVE-2026-3395
MaxSite CMS MarkItUp Preview AJAX Endpoint preview-ajax.php eval code injection
Description
A flaw has been found in MaxSite CMS up to 109.1. This impacts the function eval of the file application/maxsite/admin/plugins/editor_markitup/preview-ajax.php of the component MarkItUp Preview AJAX Endpoint. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. The exploit has been published and may be used. Upgrading to version 109.2 will fix this issue. This patch is called 08937a3c5d672a242d68f53e9fccf8a748820ef3. You should upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.
In plain language
AI Act nowCVE-2026-3395 is a MaxSite CMS security hole that lets an attacker run malicious code on your server without needing a login; if you run MaxSite CMS up to 109.1, you should treat it as an urgent patch.
In MaxSite CMS, a vulnerable MarkItUp editor AJAX endpoint (preview-ajax.php) allows unauthenticated remote attackers to inject and execute arbitrary code via an eval-based flaw in the endpoint, enabling remote code execution without user interaction.
What to do now
- Check your MaxSite CMS version and confirm whether you are running 109.1 or earlier (the fixed version is 109.2).
- If you are on 109.1 or earlier, upgrade MaxSite CMS to 109.2 as soon as possible.
- After upgrading, verify the site no longer serves the vulnerable preview-ajax.php behavior (confirm with your vendor/admin or staging test if you can).
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:UScopeC:LConfidentialityI:LIntegrityA:LAvailabilityWeaknesses
Affected Products
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
2 techniquesReferences
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-3395 and every CVE in our database. Create a free account — no credit card required.
Create Free Account