彙總 max-3000 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
常見弱點模式包括 跨站腳本與路徑處理缺陷,在 生產負載與軟體部署 使用場景中可能帶來 工作階段劫持與檔案覆寫 等風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2026-3395 | A flaw has been found in MaxSite CMS up to 109.1. This impacts the function eval of the file application/maxsite/admin/plugins/editor_markitup/preview-ajax.php of the component MarkItUp Preview AJAX Endpoint. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. The exploit has been published and may be used. Upgrading to version 109.2 will fix this issue. This patch is called 08937a3c5d672a242d68f53e9fccf8a748820ef3. You should upgrade the affected c | [email protected] | 5.5 | 0.49% | 2026-03-01 | 2026-06-17 |
| CVE-2025-12347 | A flaw has been found in MaxSite CMS up to 109. This issue affects some unknown processing of the file application/maxsite/admin/plugins/editor_files/save-file-ajax.php. Executing manipulation of the argument file_path/content can lead to unrestricted upload. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 2.1 | 0.36% | 2025-10-27 | 2026-06-17 |
| CVE-2025-12346 | A vulnerability was detected in MaxSite CMS up to 109. This vulnerability affects unknown code of the file application/maxsite/admin/plugins/auto_post/uploads-require-maxsite.php of the component HTTP Header Handler. Performing manipulation of the argument X-Requested-FileName/X-Requested-FileUpDir results in unrestricted upload. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in an | [email protected] | 2.1 | 0.36% | 2025-10-27 | 2026-06-17 |
| CVE-2022-25413 | Maxsite CMS v108 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the parameter f_tags at /admin/page_edit/3. | [email protected] | 5.4 | 0.48% | 2022-02-28 | 2026-06-17 |
| CVE-2022-25412 | Maxsite CMS v180 was discovered to contain multiple arbitrary file deletion vulnerabilities in /admin_page/all-files-update-ajax.php via the dir and deletefile parameters. | [email protected] | 8.1 | 1.04% | 2022-02-28 | 2026-06-17 |
| CVE-2022-25411 | A Remote Code Execution (RCE) vulnerability at /admin/options in Maxsite CMS v180 allows attackers to execute arbitrary code via a crafted PHP file. | [email protected] | 9.8 | 2.79% | 2022-02-28 | 2026-06-17 |
| CVE-2022-25410 | Maxsite CMS v180 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the parameter f_file_description at /admin/files. | [email protected] | 5.4 | 0.48% | 2022-02-28 | 2026-06-17 |
| CVE-2021-27983 | Remote Code Execution (RCE) vulnerability exists in MaxSite CMS v107.5 via the Documents page. | [email protected] | 9.8 | 3.47% | 2021-12-10 | 2026-06-16 |