CVE-2026-3395: Php [PoC]

Security Advisory: Critical Code Injection Vulnerability in MaxSite CMS

Overview

A high-severity security vulnerability has been identified in MaxSite CMS versions up to and including 109.1. The flaw resides in the MarkItUp Preview AJAX Endpoint, a component used for content preview. This vulnerability allows a remote attacker to inject and execute arbitrary code on the server, potentially granting them full control over the affected web application.

Vulnerability Details

The vulnerability exists in the preview-ajax.php file, where user-supplied input is improperly passed to the eval() function without adequate validation or sanitization. Because this endpoint is accessible remotely without requiring full administrative privileges in some configurations, an attacker can craft a malicious request containing PHP code. The server will then execute this code, leading to a complete compromise.

The Common Vulnerability Scoring System (CVSS) rates this issue as 7.3 (HIGH), indicating a significant risk. A functional exploit for this vulnerability is publicly available, increasing the likelihood of active attacks.

Impact

If successfully exploited, this vulnerability can have severe consequences:

• Full System Compromise: Attackers can execute any command or code on the web server with the permissions of the web server process.
• Data Theft or Destruction: Sensitive data, including user information, can be accessed, stolen, or deleted.
• Website Defacement: Attackers can alter website content.
• Launching Point for Further Attacks: The compromised server can be used to attack other internal systems or distribute malware to visitors.

Affected Products

• MaxSite CMS versions 109.1 and all prior versions.

Remediation and Mitigation

The only complete solution is to update the software immediately.

1. Immediate Upgrade: Upgrade MaxSite CMS to version 109.2 or later. This version contains the fix (commit 08937a3c5d672a242d68f53e9fccf8a748820ef3) that addresses the code injection flaw.
2. Verification: After upgrading, verify the patch is applied by confirming the version number in your admin panel.
3. Temporary Mitigation (If Upgrade is Delayed): As a temporary measure, consider restricting access to the /admin/plugins/editor_markitup/ directory at the web server (e.g., .htaccess for Apache) or network firewall level, especially from untrusted networks. Note that this may break the preview functionality and is not a substitute for patching.
4. General Best Practice: Regularly review user accounts with access to the admin panel and ensure strong, unique passwords are in use.

The MaxSite CMS maintainer was notified and responded promptly with a professional fix. Users are strongly advised to apply the update without delay to protect their systems from potential exploitation.