Description
A flaw has been found in MaxSite CMS up to 109.1. This impacts the function eval of the file application/maxsite/admin/plugins/editor_markitup/preview-ajax.php of the component MarkItUp Preview AJAX Endpoint. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. The exploit has been published and may be used. Upgrading to version 109.2 will fix this issue. This patch is called 08937a3c5d672a242d68f53e9fccf8a748820ef3. You should upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.
Published: 2026-03-01
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The vulnerability is an eval code injection in the MarkItUp Preview AJAX Endpoint of MaxSite CMS. The plugin file preview-ajax.php passes user-controlled data directly into PHP's eval function, allowing execution of arbitrary PHP code. If successfully exploited, an attacker could run any PHP code on the web server, leading to full remote code execution and potentially full system takeover. The CVE does not state whether authentication is required to reach the endpoint, so it is unclear if anonymous access is possible.

Affected Systems

MaxSite CMS versions up to 109.1 are affected, specifically the editor_markitup plugin within the administration interface. Versions 109.2 and higher include a patch identified by commit 08937a3c5d672a242d68f53e9fccf8a748820ef3 that removes the vulnerable code. Administrators of older installations should update to 109.2 or later to eliminate the flaw.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS score of less than 1% suggests that public exploitation is currently considered low probability. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, but published exploit code exists online. Attackers could reach the vulnerable endpoint remotely if the CMS is accessible over the network. Whether the endpoint protects against unauthorized access is not specified in the CVE; if no authentication is enforced, any user with network access could attempt exploitation.

Generated by OpenCVE AI on April 17, 2026 at 13:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MaxSite CMS to version 109.2 or later, applying the commit 08937a3c5d672a242d68f53e9fccf8a748820ef3 that eliminates the eval injection.
  • If upgrading is not immediately possible, disable or delete the preview‑ajax.php script or block its URL through server configuration to prevent access.
  • Enforce authentication and, if possible, restrict network access to the CMS administration area using VPNs or firewall rules to reduce the attack surface.

Generated by OpenCVE AI on April 17, 2026 at 13:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Max-3000
Max-3000 maxsite Cms
CPEs cpe:2.3:a:max-3000:maxsite_cms:*:*:*:*:*:*:*:*
Vendors & Products Max-3000
Max-3000 maxsite Cms

Mon, 02 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Maxsite
Maxsite cms
Vendors & Products Maxsite
Maxsite cms

Sun, 01 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in MaxSite CMS up to 109.1. This impacts the function eval of the file application/maxsite/admin/plugins/editor_markitup/preview-ajax.php of the component MarkItUp Preview AJAX Endpoint. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. The exploit has been published and may be used. Upgrading to version 109.2 will fix this issue. This patch is called 08937a3c5d672a242d68f53e9fccf8a748820ef3. You should upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.
Title MaxSite CMS MarkItUp Preview AJAX Endpoint preview-ajax.php eval code injection
Weaknesses CWE-74
CWE-94
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Max-3000 Maxsite Cms
Maxsite Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-02T17:51:45.740Z

Reserved: 2026-02-28T17:15:17.376Z

Link: CVE-2026-3395

cve-icon Vulnrichment

Updated: 2026-03-02T17:48:46.309Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-01T14:16:05.960

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3395

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:45:16Z

Weaknesses