Home / Vulnerability Intelligence / CVE-2026-3395

CVE-2026-3395 - Vulnerability Analysis

HighCVSS: 7.3

Last Updated: March 1, 2026

MaxSite CMS - Command Injection

Published: March 1, 2026Updated: March 1, 2026PoC AvailableRemote Exploitable

Overview

MaxSite CMS <= 109.1 contains a command injection caused by unsanitized input in eval function in MarkItUp Preview AJAX Endpoint, letting remote attackers execute arbitrary code, exploit requires no special privileges.

Severity & Score

Severity: High

CVSS Score: 7.3

Impact

Remote attackers can execute arbitrary code, potentially leading to full system compromise.

Mitigation

Upgrade to version 109.2.

References

https://github.com/maxsite/cms/
https://github.com/maxsite/cms/commit/08937a3c5d672a242d68f53e9fccf8a748820ef3
https://vuldb.com/?ctiid.348281
https://vuldb.com/?id.348281
https://vuldb.com/?submit.762169

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-3395
Severity: High
CVSS Score: 7.3
Type: command_injection
Status: new

CWE

CWE-74

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L