Platform
php
Component
editor_markitup
Fixed in
109.0.1
109.1.1
CVE-2026-3395 describes a code injection vulnerability discovered in MaxSite CMS, specifically within the MarkItUp component's Preview AJAX Endpoint. This flaw allows attackers to potentially execute arbitrary code on vulnerable systems. The vulnerability impacts versions 109.0 through 109.1 of MaxSite CMS, and a fix is available in version 109.2.
Successful exploitation of CVE-2026-3395 allows an attacker to inject and execute arbitrary code on the server hosting the MaxSite CMS instance. This could lead to complete system compromise, including data theft, modification, or deletion. The attacker could gain control of the CMS administrative interface, allowing them to deface the website, install malicious plugins, or redirect users to phishing sites. Given the remote accessibility of the vulnerability and the availability of a public exploit, the potential impact is significant.
CVE-2026-3395 is considered a high-risk vulnerability due to the availability of a public exploit. While no active campaigns have been publicly confirmed, the ease of exploitation increases the likelihood of malicious actors targeting vulnerable systems. The vulnerability was disclosed on 2026-03-01, and a patch was released shortly thereafter. It is listed on the NVD and CISA advisories.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3395 is to immediately upgrade MaxSite CMS to version 109.2 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to the application/maxsite/admin/plugins/editor_markitup/preview-ajax.php endpoint using a web application firewall (WAF) or proxy server. Carefully review and sanitize all user inputs to the MarkItUp editor to prevent malicious code from being injected. Monitor server logs for any suspicious activity related to the affected endpoint.
Update MaxSite CMS to version 109.2 or later. This update corrects the code injection vulnerability in the MarkItUp plugin. The update is available on the official MaxSite CMS website.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3395 is a code injection vulnerability in the MarkItUp Preview AJAX Endpoint of MaxSite CMS versions 109.0 through 109.1, allowing attackers to execute arbitrary code.
If you are using MaxSite CMS versions 109.0 or 109.1, you are potentially affected by this vulnerability. Upgrade to version 109.2 to mitigate the risk.
The recommended fix is to upgrade MaxSite CMS to version 109.2 or later. As a temporary workaround, restrict access to the vulnerable endpoint using a WAF or proxy.
While no active campaigns have been confirmed, a public exploit exists, increasing the likelihood of exploitation.
Refer to the MaxSite CMS security advisories for the latest information and updates regarding CVE-2026-3395.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.