Skip to main content

DreamMaker CVE-2026-10072

| EUVDEUVD-2026-33291 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-05-29 twcert GHSA-vqqm-f2cp-rfxx
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 29, 2026 - 14:22 vuln.today
CVSS changed
May 29, 2026 - 14:22 NVD
7.2 (HIGH) 8.6 (HIGH)

DescriptionCVE.org

DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

AnalysisAI

Arbitrary file upload in Interinfo DreamMaker allows authenticated high-privilege remote attackers to upload web shell backdoors and achieve arbitrary code execution on the underlying server. The flaw carries a CVSS 4.0 score of 8.6 and was reported via TWCERT, with no public exploit identified at time of analysis. Despite the high privilege requirement, the network-reachable vector and full CIA impact on the host make this a meaningful post-authentication compromise primitive.

Technical ContextAI

DreamMaker is a web-based application from Taiwanese vendor Interinfo (CPE: cpe:2.3:a:interinfo:dreammaker), commonly deployed in regional enterprise environments. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the upload handler fails to validate file extension, MIME type, or content before writing attacker-controlled files into a web-accessible directory. Once a server-side script (e.g., .jsp, .aspx, .php) lands inside the web root, the application server will execute it on subsequent HTTP requests, giving the attacker an interactive web shell that runs under the privileges of the web service account.

RemediationAI

Patch available per vendor advisory - consult the TWCERT advisories at https://www.twcert.org.tw/en/cp-139-10946-1127f-2.html and https://www.twcert.org.tw/tw/cp-132-10943-8fb00-1.html and contact Interinfo for the fixed DreamMaker build, as no exact fix version is enumerated in the provided data. Until the patch is applied, restrict access to administrative and upload endpoints to trusted management networks via firewall or reverse-proxy ACLs (side effect: legitimate remote admins must use VPN), enforce strong unique credentials and MFA for all high-privilege DreamMaker accounts to raise the bar against the PR:H prerequisite, and configure the web server to disallow script execution within any user-writable upload directory - for IIS/Tomcat/Apache this means stripping handler mappings for .jsp/.aspx/.php/.asp under the upload path (side effect: any legitimate server-side rendering from that directory will break). Monitor web server logs and file-system audit trails for newly written executable file extensions in upload directories as a detection compensating control.

Share

CVE-2026-10072 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy