CVE-2026-3395

HIGH LAB

MaxSite CMS <109.1 - Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-3395. PoCs published by XiaomingX, rootdirective-sec, mbanyamer.

AI-analyzed exploit summary The repository contains a functional Python exploit for CVE-2026-3395, targeting MaxSite CMS <= 109.1 with the run_php plugin enabled. The exploit leverages unauthenticated access to preview-ajax.php, bypassing weak referrer checks to achieve remote code execution via eval() in the run_php plugin.

Description

A flaw has been found in MaxSite CMS up to 109.1. This impacts the function eval of the file application/maxsite/admin/plugins/editor_markitup/preview-ajax.php of the component MarkItUp Preview AJAX Endpoint. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. The exploit has been published and may be used. Upgrading to version 109.2 will fix this issue. This patch is called 08937a3c5d672a242d68f53e9fccf8a748820ef3. You should upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.

Exploits (3)

github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-3395

The repository contains a functional Python exploit for CVE-2026-3395, targeting MaxSite CMS <= 109.1 with the run_php plugin enabled. The exploit leverages unauthenticated access to preview-ajax.php, bypassing weak referrer checks to achieve remote code execution via eval() in the run_php plugin.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: MaxSite CMS <= 109.1
No auth needed
Prerequisites: MaxSite CMS <= 109.1 · run_php plugin enabled
devstral-2 · analyzed Mar 04, 2026 Full analysis →
nomisec WORKING POC
by rootdirective-sec · poc
https://github.com/rootdirective-sec/CVE-2026-3395-Lab

This repository provides a functional Docker-based lab environment to demonstrate CVE-2026-3395, an unauthenticated RCE vulnerability in MaxSite CMS. It includes vulnerable and patched builds, along with a proof-of-concept exploit that leverages the `run_php` plugin to execute arbitrary PHP code via the `preview-ajax.php` endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MaxSite CMS (with `run_php` plugin enabled)
No auth needed
Prerequisites: Docker · Docker Compose v2 · MaxSite CMS with `run_php` plugin enabled
devstral-2 · analyzed Mar 03, 2026 Full analysis →
nomisec WORKING POC
by mbanyamer · poc
https://github.com/mbanyamer/CVE-2026-3395-MaxSite-CMS-Unauthenticated-RCE

The repository contains a functional Python exploit for CVE-2026-3395, targeting MaxSite CMS <= 109.1 with the run_php plugin enabled. The exploit leverages unauthenticated access to preview-ajax.php, bypassing weak referrer checks to achieve remote code execution via eval() in the run_php plugin.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: MaxSite CMS <= 109.1
No auth needed
Prerequisites: MaxSite CMS <= 109.1 · run_php plugin enabled
devstral-2 · analyzed Mar 02, 2026 Full analysis →

References (5)

Core 5
Core References
Various Sources product
https://github.com/maxsite/cms/
Permissions Required, VDB Entry vdb-entry technical-description
https://vuldb.com/?id.348281
Permissions Required, VDB Entry signature permissions-required
https://vuldb.com/?ctiid.348281
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/?submit.762169

Scores

CVSS v3 7.3
EPSS 0.0049
EPSS Percentile 37.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Lab Environment

COMMUNITY
Community Lab
docker pull mariadb:10.11

Details

CWE
CWE-74 CWE-94
Status published
Products (1)
max-3000/maxsite_cms < 109.2
Published Mar 01, 2026
Tracked Since Mar 01, 2026