CVE-2026-3395 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2026-3395?

CVE-2026-3395 has a CVSS score of 7.3 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on MaxSite CMS installations through a code injection flaw in the MarkItUp Preview AJAX endpoint. Attackers can exploit this without authentication to gain control of affected systems. All MaxSite CMS users running versions up to 109.1 are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on MaxSite CMS installations through a code injection flaw in the MarkItUp Preview AJAX endpoint. Attackers can exploit this without authentication to gain control of affected systems. All MaxSite CMS users running versions up to 109.1 are affected.

💻 Affected Systems

Products:

MaxSite CMS

Versions: All versions up to and including 109.1

Operating Systems: All operating systems running MaxSite CMS

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerable component is part of the admin plugins and affects the MarkItUp editor preview functionality.

📦 What is this software?

Maxsite Cms by Max 3000

View all CVEs affecting Maxsite Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to website defacement, data theft, or installation of backdoors for persistent access.

🟢

If Mitigated

Limited impact if proper network segmentation, WAF rules, and input validation are in place, though exploitation may still occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The exploit has been published and can be launched remotely without authentication, making this easily weaponizable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 109.2

Vendor Advisory: https://github.com/maxsite/cms/commit/08937a3c5d672a242d68f53e9fccf8a748820ef3

Restart Required: No

Instructions:

1. Backup your MaxSite CMS installation and database. 2. Download version 109.2 from the official repository. 3. Replace the vulnerable file application/maxsite/admin/plugins/editor_markitup/preview-ajax.php with the patched version. 4. Verify the patch by checking the file hash matches commit 08937a3c5d672a242d68f53e9fccf8a748820ef3.

🔧 Temporary Workarounds

Disable MarkItUp Preview AJAX Endpoint

linux

Temporarily disable the vulnerable endpoint by removing or renaming the preview-ajax.php file

mv /path/to/maxsite/application/maxsite/admin/plugins/editor_markitup/preview-ajax.php /path/to/maxsite/application/maxsite/admin/plugins/editor_markitup/preview-ajax.php.disabled

Implement WAF Rules

all

Add web application firewall rules to block requests to the vulnerable endpoint

🧯 If You Can't Patch

Restrict network access to the MaxSite CMS admin interface using IP whitelisting
Disable the MarkItUp editor plugin entirely and use alternative editor options

🔍 How to Verify

Check if Vulnerable:

Check if file application/maxsite/admin/plugins/editor_markitup/preview-ajax.php exists and compare its content with the vulnerable version

Check Version:

Check MaxSite CMS version in the admin panel or look for version information in configuration files

Verify Fix Applied:

Verify the file hash of preview-ajax.php matches the patched version: sha1sum should equal 08937a3c5d672a242d68f53e9fccf8a748820ef3

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /admin/plugins/editor_markitup/preview-ajax.php
Suspicious eval() function calls in PHP error logs
Unexpected process execution from web server user

Network Indicators:

HTTP requests containing malicious code patterns targeting the preview endpoint
Outbound connections from web server to suspicious IPs

SIEM Query:

source="web_server_logs" AND uri="/admin/plugins/editor_markitup/preview-ajax.php" AND (method="POST" OR method="GET") AND (payload CONTAINS "eval" OR payload CONTAINS "system" OR payload CONTAINS "exec")

📊 Metadata

CVE ID: CVE-2026-3395

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

Published: March 1, 2026

Last Updated: March 5, 2026

🔗 References

https://github.com/maxsite/cms/ Product
https://github.com/maxsite/cms/commit/08937a3c5d672a242d68f53e9fccf8a748820ef3 Patch
https://vuldb.com/?ctiid.348281 Permissions Required,VDB Entry
https://vuldb.com/?id.348281 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.762169 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-3395, you might also want to check these: