CVE-2008-6446

CMS MAXSITE - Remote Code Execution via Guestbook Message Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-6446. PoCs published by CWH Underground.

AI-analyzed exploit summary This exploit targets a remote command execution vulnerability in the CMS MAXSITE Component Guestbook. It injects PHP code into the guestbook message field, allowing arbitrary command execution via a crafted GET request.

Description

Static code injection vulnerability in the Guestbook component in CMS MAXSITE allows remote attackers to inject arbitrary PHP code into the guestbook via the message parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by CWH Underground · perlwebappsphp
https://www.exploit-db.com/exploits/7322

This exploit targets a remote command execution vulnerability in the CMS MAXSITE Component Guestbook. It injects PHP code into the guestbook message field, allowing arbitrary command execution via a crafted GET request.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: CMS MAXSITE Component Guestbook (version not specified)
No auth needed
Prerequisites: Target must have the vulnerable CMS MAXSITE Component Guestbook installed · PHP must be configured to allow command execution functions like passthru
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7322
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/32588
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/47025

Scores

EPSS 0.0226
EPSS Percentile 80.7%

Details

CWE
CWE-94
Status published
Products (1)
geniuscyber/maxsite
Published Mar 09, 2009
Tracked Since Feb 18, 2026