CVE-2026-3395 is a remote code injection vulnerability affecting MaxSite CMS versions 109.0 and 109.1. The vulnerability exists in the MarkItUp Preview AJAX Endpoint component, specifically within the file application/maxsite/admin/plugins/editor_markitup/preview-ajax.php, where the PHP eval function is improperly used to process input. This unsafe use of eval allows an attacker to inject and execute arbitrary PHP code remotely without requiring authentication or user interaction. The vulnerability is exploitable over the network (AV:N) with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact affects confidentiality, integrity, and availability at a low level, as indicated by the CVSS vector. The flaw was responsibly disclosed and patched in version 109.2, with the patch identified by commit 08937a3c5d672a242d68f53e9fccf8a748820ef3. While no active exploitation has been reported, the availability of exploit code increases the urgency for patching. This vulnerability highlights the risks of using eval with untrusted input in web applications and the importance of secure coding practices in CMS platforms.

If exploited, this vulnerability allows remote attackers to execute arbitrary PHP code on the affected MaxSite CMS server, potentially leading to unauthorized access, data leakage, defacement, or disruption of service. The compromise of confidentiality could expose sensitive content or user data managed by the CMS. Integrity could be undermined by unauthorized content modifications or insertion of malicious code. Availability might be impacted if attackers disrupt the CMS operation or deploy ransomware or other destructive payloads. Given the remote and unauthenticated nature of the exploit, the attack surface is broad, especially for publicly accessible CMS installations. Organizations relying on MaxSite CMS for website management face risks of reputational damage, regulatory non-compliance, and operational disruption if this vulnerability is exploited.

The primary mitigation is to upgrade MaxSite CMS to version 109.2 or later, which contains the official patch fixing the code injection flaw. Until the upgrade can be applied, administrators should restrict access to the vulnerable AJAX endpoint by implementing network-level controls such as IP whitelisting or web application firewall (WAF) rules that block suspicious or unexpected requests targeting application/maxsite/admin/plugins/editor_markitup/preview-ajax.php. Additionally, auditing web server logs for unusual POST requests to this endpoint can help detect attempted exploitation. Developers should review and refactor any use of eval or similar functions in custom plugins or extensions to avoid unsafe code execution. Employing runtime application self-protection (RASP) or intrusion detection systems (IDS) can provide additional layers of defense. Regular backups and incident response plans should be in place to recover quickly if compromise occurs.