CVE Tools

CVE-2026-3395

MaxSite CMS MarkItUp Preview AJAX Endpoint preview-ajax.php eval code injection

Published: Mar 1, 2026Updated: Apr 29, 2026 Sources: CVE List NVDCWE-74

Description

A flaw has been found in MaxSite CMS up to 109.1. This impacts the function eval of the file application/maxsite/admin/plugins/editor_markitup/preview-ajax.php of the component MarkItUp Preview AJAX Endpoint. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. The exploit has been published and may be used. Upgrading to version 109.2 will fix this issue. This patch is called 08937a3c5d672a242d68f53e9fccf8a748820ef3. You should upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.

In plain language

AI Act now

CVE-2026-3395 is a MaxSite CMS security hole that lets an attacker run malicious code on your server without needing a login; if you run MaxSite CMS up to 109.1, you should treat it as an urgent patch.

Executive summary

In MaxSite CMS, a vulnerable MarkItUp editor AJAX endpoint (preview-ajax.php) allows unauthenticated remote attackers to inject and execute arbitrary code via an eval-based flaw in the endpoint, enabling remote code execution without user interaction.

If affected, business impact
Full site and server compromiseData theft from your CMSWebsite defacement or downtimeMalware deployment on hosting

What to do now

  1. Check your MaxSite CMS version and confirm whether you are running 109.1 or earlier (the fixed version is 109.2).
  2. If you are on 109.1 or earlier, upgrade MaxSite CMS to 109.2 as soon as possible.
  3. After upgrading, verify the site no longer serves the vulnerable preview-ajax.php behavior (confirm with your vendor/admin or staging test if you can).
Patch / advisory Usually a quick update

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:LI:LA:L
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:LConfidentiality
Low
I:LIntegrity
Low
A:LAvailability
Low

Weaknesses

Affected Products

MaxSite
commercialaka maxsite cms
max-3000
commercialaka maxsite cms

Exploitability

Official Patch Available

Attack Graph

Products CVE Techniques Tactics

Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/ + scroll to zoom, or go fullscreen.

MITRE ATT&CK

2 techniques
Execution
Initial Access
View detailed technique mapping

References

and 2 more references View all →
2

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-3395 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows