CVE-2026-3395

A flaw has been found in MaxSite CMS up to 109.1. This impacts the function eval of the file application/maxsite/admin/plugins/editormarkitup/preview-ajax.php of the component MarkItUp Preview AJAX Endpoint. Executing a manipulation can lead to code injection. It is possible to launch the attack...

CVE-2025-14532

CVE-2025-14532 describes an unauthenticated file-upload flaw in DobryCMS that allows uploading files of any type/extension, enabling remote code execution. The NVD entry indicates a high-severity, network-accessible issue (CVSS v4.0-like metrics: base score 9.3; impacts to confidentiality, integr...

CVE-2026-27939

Statmatic is a Laravel and Git powered content management system CMS. Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensiti...

Exploit for CVE-2026-3395

CVE‑2026‑3395 — MaxSite CMS Unauthenticated Remote Code Execut...

CVE-2026-3395

A flaw has been found in MaxSite CMS up to 109.1. This impacts the function eval of the file application/maxsite/admin/plugins/editormarkitup/preview-ajax.php of the component MarkItUp Preview AJAX Endpoint. Executing a manipulation can lead to code injection. It is possible to launch the attack...

CVE-2026-3395 MaxSite CMS MarkItUp Preview AJAX Endpoint preview-ajax.php eval code injection

A flaw has been found in MaxSite CMS up to 109.1. This impacts the function eval of the file application/maxsite/admin/plugins/editormarkitup/preview-ajax.php of the component MarkItUp Preview AJAX Endpoint. Executing a manipulation can lead to code injection. It is possible to launch the attack...

CVE-2026-3395

Summary (CVE-2026-3395): MaxSite CMS up to 109.1 contains a flaw in the MarkItUp Preview AJAX Endpoint (preview-ajax.php) where unsanitized input is passed to run_php and evaluated via PHP eval(), enabling unauthenticated remote code execution. This is driven by weak authorization checks in the M...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the user fieldtype data endpoint. An attacker can obtain unauthorized access to email addresses of users without the required permissions by sending crafted requests to the endpoint. Remediation Upgrade...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in Glide when operating in insecure mode. An unauthenticated attacker can access internal services and cloud metadata endpoints by supplying arbitrary URLs to the image proxy or watermark feature. This i...

MaxSite CMS 代码注入漏洞

MaxSite CMS is an open-source website content management system developed by MaxSite in Russia. Versions of MaxSite CMS 109.1 and earlier contained a code injection vulnerability. This vulnerability originated from a function in the MarkItUp Preview AJAX Endpoint component’s file,...

Exploit for SQL Injection in Cmsmadesimple Cms_Made_Simple

updat...

CVE-2026-24351

PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. The vendor was notified early about this vulnerability, but didn't respond with...

CVE-2026-24352

PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was notified early about this...

CVE-2025-15498

Pro3W CMS if vulnerable to SQL injection attacks. Improper neutralization of input provided into a login form allows an unauthenticated attacker to bypass authentication and gain administrative privileges. This issue was identified in version 1.2.0 of this software. Due to lack of response from t...

CVE-2026-24350

PluXml CMS is vulnerable to Stored XSS in file uploading functionality. An authenticated attacker can upload an SVG file containing a malicious payload, which will be executed when a victim clicks the link associated with the uploaded image. In version 5.9.0-rc7 clicking the link associated with...

Exploit for Unrestricted Upload of File with Dangerous Type in Pluck-Cms Pluck

CVE-2020-29607 — Pluck CMS Authenticated remote code executio...

CVE-2026-28423

Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode which is not the default, the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary...

CVE-2026-28425

Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the...

CVE-2026-28426 Statamic vulnerable to privilege escalation via stored cross-site scripting

Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileg...

CVE-2026-28426

CVE-2026-28426 affects Statamic (a Laravel/Git‑based CMS). A stored cross‑site scripting (XSS) flaw exists in the svg and icon related components prior to versions 5.73.11 and 6.4.0, enabling an authenticated user with certain permissions to inject malicious JavaScript that executes for higher‑pr...