CVE-2026-3395

HIGH 7.3

MaxSite CMS MarkItUp Preview AJAX Endpoint preview-ajax.php eval code injection

CVSS Score

7.3

EPSS Score

0.0%

EPSS Percentile

0th

A flaw has been found in MaxSite CMS up to 109.1. This impacts the function eval of the file application/maxsite/admin/plugins/editor_markitup/preview-ajax.php of the component MarkItUp Preview AJAX Endpoint. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. The exploit has been published and may be used. Upgrading to version 109.2 will fix this issue. This patch is called 08937a3c5d672a242d68f53e9fccf8a748820ef3. You should upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.

CWE	CWE-94 CWE-74
Vendor	maxsite
Product	cms
Published	Mar 1, 2026
Last Updated	Mar 2, 2026

Stay Ahead of the Next One

Get instant alerts for maxsite cms

Be the first to know when new high vulnerabilities affecting maxsite cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

MaxSite / CMS

109.0 109.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/?id.348281 vuldb.com: https://vuldb.com/?ctiid.348281 vuldb.com: https://vuldb.com/?submit.762169 github.com: https://github.com/maxsite/cms/commit/08937a3c5d672a242d68f53e9fccf8a748820ef3 github.com: https://github.com/maxsite/cms/

Credits

🔍 mrsolo404 (VulDB User) mrsolo404 (VulDB User) VulDB