CVE-2026-3395 Overview
A code injection vulnerability has been discovered in MaxSite CMS versions up to 109.1. The flaw resides in the eval function within the file application/maxsite/admin/plugins/editor_markitup/preview-ajax.php, which is part of the MarkItUp Preview AJAX Endpoint component. This vulnerability allows remote attackers to execute arbitrary code through manipulation of input data processed by the vulnerable function.
Critical Impact
Remote attackers can exploit this code injection flaw to execute arbitrary code on vulnerable MaxSite CMS installations, potentially leading to complete system compromise, data theft, or server takeover.
Affected Products
- MaxSite CMS versions up to and including 109.1
- Max-3000 MaxSite CMS installations using the MarkItUp editor plugin
- Any MaxSite CMS deployment with the preview-ajax.php endpoint accessible
Discovery Timeline
- 2026-03-01 - CVE-2026-3395 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-3395
Vulnerability Analysis
This vulnerability affects the MarkItUp Preview AJAX Endpoint in MaxSite CMS, specifically targeting the eval function implementation in preview-ajax.php. The vulnerable code path processes user-supplied input without adequate sanitization before passing it to PHP's eval() function, creating a direct code injection vector.
The vulnerability is exploitable over the network without requiring authentication, making it particularly dangerous for publicly accessible MaxSite CMS installations. An attacker can craft malicious requests to the preview AJAX endpoint that inject arbitrary PHP code into the eval() context, resulting in server-side code execution.
The impact includes potential unauthorized access to server resources, modification of website content, data exfiltration, and the ability to use the compromised server as a pivot point for further attacks. The vendor responded promptly and professionally upon notification, releasing a security patch in version 109.2.
Root Cause
The root cause of this vulnerability is the improper use of PHP's eval() function combined with insufficient input validation and sanitization in the MarkItUp preview functionality. The preview-ajax.php file accepts user input that is subsequently processed through the eval() function without proper filtering, allowing arbitrary code to be executed within the PHP interpreter context.
This represents a violation of secure coding practices, specifically CWE-94 (Improper Control of Generation of Code) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
Attack Vector
The attack is conducted remotely through the network by sending specially crafted HTTP requests to the MarkItUp Preview AJAX endpoint located at application/maxsite/admin/plugins/editor_markitup/preview-ajax.php. The attacker manipulates input parameters that are passed to the eval() function, injecting malicious PHP code.
Since the vulnerability requires no authentication and can be exploited over the network, any MaxSite CMS installation with the affected endpoint accessible is at risk. The attacker can inject commands that execute with the privileges of the web server process, potentially allowing full system compromise depending on the server configuration.
Technical details regarding the specific exploitation methodology can be found in the VulDB advisory.
Detection Methods for CVE-2026-3395
Indicators of Compromise
- Unusual HTTP requests targeting /application/maxsite/admin/plugins/editor_markitup/preview-ajax.php with suspicious payloads
- Web server logs showing attempts to inject PHP code patterns such as system(), exec(), shell_exec(), or passthru() in request parameters
- Unexpected process spawning from the web server process (www-data, apache, nginx user accounts)
- New or modified files in web directories with recent timestamps that don't match normal deployment patterns
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block code injection patterns in requests to the MarkItUp preview endpoint
- Implement log monitoring for requests containing PHP function names or code-like syntax targeting AJAX endpoints
- Use SentinelOne Singularity to detect anomalous process execution originating from web server processes
- Monitor for outbound connections initiated by web server processes that may indicate successful exploitation and command-and-control activity
Monitoring Recommendations
- Enable detailed access logging for the MaxSite CMS admin directory and review logs for suspicious patterns
- Configure intrusion detection systems (IDS) to alert on requests containing common PHP code injection signatures
- Implement file integrity monitoring on MaxSite CMS installation directories to detect unauthorized modifications
- Monitor network traffic from web servers for unusual outbound connections or data exfiltration attempts
How to Mitigate CVE-2026-3395
Immediate Actions Required
- Upgrade MaxSite CMS to version 109.2 or later immediately to address this vulnerability
- If immediate upgrade is not possible, temporarily restrict access to the MarkItUp preview AJAX endpoint using web server access controls
- Review web server logs for evidence of exploitation attempts against the vulnerable endpoint
- Conduct a security assessment of the MaxSite CMS installation to identify any signs of compromise
Patch Information
The vulnerability has been addressed in MaxSite CMS version 109.2. The fix is identified by commit 08937a3c5d672a242d68f53e9fccf8a748820ef3 in the official GitHub repository. Administrators should upgrade to version 109.2 or apply the patch from the referenced commit to remediate the vulnerability.
The vendor was notified about the issue beforehand and responded quickly with a professional approach to remediation, demonstrating responsible security practices.
Workarounds
- Block access to preview-ajax.php at the web server level using .htaccess (Apache) or location blocks (nginx) until patching is completed
- Disable the MarkItUp editor plugin entirely if the preview functionality is not required for operations
- Implement network-level access controls to restrict access to the MaxSite CMS admin area to trusted IP addresses only
- Deploy a web application firewall configured to block requests containing code injection patterns
# Apache .htaccess workaround - place in MaxSite CMS root directory
<FilesMatch "preview-ajax\.php$">
Order Allow,Deny
Deny from all
# Optionally allow from trusted IPs
# Allow from 192.168.1.0/24
</FilesMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
