CVE-2026-3395 is a remote code injection vulnerability identified in MaxSite CMS, affecting versions 109.0 and 109.1. The vulnerability exists in the MarkItUp Preview AJAX Endpoint, specifically in the file application/maxsite/admin/plugins/editor_markitup/preview-ajax.php, where the PHP eval function is improperly used. This unsafe use of eval allows an attacker to inject and execute arbitrary PHP code remotely without requiring authentication or user interaction. The vulnerability is exploitable over the network (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact affects confidentiality, integrity, and availability at a low level, as indicated by the CVSS vector. Although no known exploits in the wild have been reported yet, proof-of-concept exploits have been published, increasing the likelihood of active exploitation. The MaxSite CMS maintainer responded promptly and released version 109.2 to fix the issue by removing or securing the vulnerable eval usage. This vulnerability highlights the risks of using eval with untrusted input in web applications, especially in CMS platforms that are publicly accessible and widely used for content management.

The vulnerability allows remote attackers to execute arbitrary code on affected MaxSite CMS installations, potentially leading to full system compromise. This can result in unauthorized data access or modification, website defacement, deployment of malware, or use of the compromised server as a pivot point for further attacks. The lack of authentication and user interaction requirements makes exploitation straightforward for attackers scanning for vulnerable sites. Organizations relying on MaxSite CMS for web presence or internal portals face risks of service disruption, data breaches, and reputational damage. The published exploit code increases the urgency of patching to prevent opportunistic attacks. Although the CVSS score is medium (6.9), the real-world impact could escalate if attackers combine this vulnerability with other weaknesses or target high-value systems.

Immediate upgrade to MaxSite CMS version 109.2 is the primary mitigation to eliminate the vulnerable code path. Until upgrade is possible, organizations should restrict access to the affected endpoint (application/maxsite/admin/plugins/editor_markitup/preview-ajax.php) via web application firewalls (WAFs) or network-level controls to block suspicious requests. Implement strict input validation and sanitization on any user-supplied data processed by the CMS, especially where eval or similar functions are used. Monitor web server logs for unusual or suspicious activity targeting the MarkItUp Preview AJAX Endpoint. Employ intrusion detection systems (IDS) to detect exploitation attempts. Regularly audit CMS plugins and third-party components for unsafe code practices. Educate developers and administrators about the risks of using eval with untrusted input to prevent similar vulnerabilities in the future.