CVE-2026-3395

MEDIUM EPSS 38.2%
Published Mar 1, 20264mo ago · Modified Apr 29, 20262mo ago
5.5 CVSS 4.0
Medium
Find Similar
Published Mar 1, 2026 4mo ago
Last Modified Apr 29, 2026 2mo ago

Description

A flaw has been found in MaxSite CMS up to 109.1. This impacts the function eval of the file application/maxsite/admin/plugins/editor_markitup/preview-ajax.php of the component MarkItUp Preview AJAX Endpoint. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. The exploit has been published and may be used. Upgrading to version 109.2 will fix this issue. This patch is called 08937a3c5d672a242d68f53e9fccf8a748820ef3. You should upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.

CVSS Details

Base Score
5.5
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
38.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-74
CWE-94 Improper Control of Generation of Code (Code Injection) Injection

Affected Products 1

VendorProductVersionRange
max-3000maxsite_cms* <109.2

References 5

  • github.com https://github.com/maxsite/cms/
    Product
  • github.com https://github.com/maxsite/cms/commit/08937a3c5d672a242d68f53e9fccf8a748820ef3
    Patch
  • vuldb.com https://vuldb.com/?ctiid.348281
    Permissions RequiredVDB Entry
  • vuldb.com https://vuldb.com/?id.348281
    Third Party AdvisoryVDB Entry
  • vuldb.com https://vuldb.com/?submit.762169
    Third Party AdvisoryVDB Entry

Remediation

  • github.com https://github.com/maxsite/cms/commit/08937a3c5d672a242d68f53e9fccf8a748820ef3
    Patch