CVE-2026-3395
Received Received - Intake
Remote Code Injection in MaxSite CMS MarkItUp Preview Endpoint

Publication date: 2026-03-01

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in MaxSite CMS up to 109.1. This impacts the function eval of the file application/maxsite/admin/plugins/editor_markitup/preview-ajax.php of the component MarkItUp Preview AJAX Endpoint. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. The exploit has been published and may be used. Upgrading to version 109.2 will fix this issue. This patch is called 08937a3c5d672a242d68f53e9fccf8a748820ef3. You should upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-01
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-01
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3395
EUVD
EUVD-2026-9130
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
max-3000 maxsite_cms to 109.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3395 is a critical remote code injection vulnerability in MaxSite CMS versions up to 109.1, specifically in the MarkItUp Preview AJAX Endpoint located at application/maxsite/admin/plugins/editor_markitup/preview-ajax.php.

The vulnerability arises because user input is passed unsafely to the eval function without proper authentication or input sanitization, allowing attackers to inject and execute arbitrary PHP code remotely.

This means an attacker can send specially crafted requests to the preview AJAX endpoint and execute any PHP code on the server with the privileges of the web server process.

The issue is due to improper control of code generation (CWE-94) and is exploitable without authentication, making it highly dangerous.

The vulnerability was fixed in MaxSite CMS version 109.2 by enforcing authentication checks and referer validation on the affected AJAX endpoints.

Impact Analysis

This vulnerability allows remote attackers to execute arbitrary code on the affected server without any authentication.

  • Attackers can fully compromise the CMS, including accessing and modifying content, user accounts, configurations, and databases.
  • It impacts the confidentiality, integrity, and availability of the system.
  • Attackers may achieve persistence or lateral movement within the network depending on system defenses.
  • Exploitation is straightforward and publicly documented, increasing the risk of widespread attacks.

Overall, this vulnerability poses a critical security risk that can lead to complete system takeover.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying if your MaxSite CMS installation is running a vulnerable version (up to 109.1) and if the MarkItUp Preview AJAX Endpoint at application/maxsite/admin/plugins/editor_markitup/preview-ajax.php is accessible without authentication.'}, {'type': 'paragraph', 'content': 'One practical detection method is to use Google dorking with the query: inurl:application/maxsite/admin/plugins/editor_markitup/preview-ajax.php to find potentially vulnerable targets.'}, {'type': 'paragraph', 'content': "On your network or system, you can test the endpoint by sending a crafted POST request to the preview-ajax.php endpoint with a payload containing PHP code inside [php]...[/php] tags, for example: [php]echo 'RCE_OK';[/php]. If the response contains 'RCE_OK', it confirms the vulnerability."}, {'type': 'paragraph', 'content': 'Commands using curl to test the vulnerability might look like this:'}, {'type': 'list_item', 'content': 'curl -X POST -d "data=[php]echo \'RCE_OK\';[/php]" https://target-site/application/maxsite/admin/plugins/editor_markitup/preview-ajax.php'}, {'type': 'paragraph', 'content': "If the response includes the string 'RCE_OK', the system is vulnerable."}] [2, 3]

Mitigation Strategies

The primary and immediate mitigation step is to upgrade MaxSite CMS to version 109.2 or later, which includes the patch that fixes this vulnerability by enforcing authentication and referer checks on the affected AJAX endpoints.

If upgrading immediately is not possible, consider the following temporary mitigations:

  • Restrict access to the preview-ajax.php endpoint by implementing authentication checks or IP-based access controls.
  • Disable or remove the run_php plugin or any plugin that allows execution of PHP code via user input.
  • Implement web application firewall (WAF) rules to block requests containing suspicious payloads such as [php] tags.
  • Add CSRF protection and verify HTTP referer headers to prevent unauthorized AJAX requests.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3395. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart