Code Injection Vulnerability in MaxSite CMS MarkItUp Plugin
CVE-2026-3395

6.9MEDIUM

Key Information:

Vendor: Maxsite
Status: Cms
Vendor: CVE Published:; 1 March 2026

What is CVE-2026-3395?

A security flaw exists in the MaxSite CMS affecting version 109.1, specifically within the MarkItUp Preview AJAX Endpoint, leading to potential remote code injection. An attacker can exploit this vulnerability by manipulating the eval function in the 'preview-ajax.php' file, which could result in unauthorized code execution on the server. Users are strongly advised to upgrade to version 109.2 to mitigate the risks associated with this vulnerability. The resolution was swiftly addressed by the code maintainer, ensuring improved security measures.

Affected Version(s)

CMS 109.0

CMS 109.1

CMS 109.2

References

https://vuldb.com/?id.348281

vdb-entrytechnical-description

https://vuldb.com/?ctiid.348281

signaturepermissions-required

https://vuldb.com/?submit.762169

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 1, 2026
Vulnerability Reserved
Feb 28, 2026

Credit

mrsolo404 (VulDB User)

VulDB

CVE-2026-3395 Data

JSON