Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
An issue was discovered in DedeCMS 5.7.118 allowing attackers to execute code via crafted setup tag values in a module upload.
AnalysisAI
Remote code execution in DedeCMS 5.7.118 allows unauthenticated attackers to execute arbitrary code through crafted setup tag values during module upload operations. The vulnerability exploits insufficient input validation in the module upload functionality, enabling direct code injection. No CVSS score, EPSS data, or KEV confirmation is available; however, the presence of a public proof-of-concept demonstrates practical exploitability.
Technical ContextAI
DedeCMS is a PHP-based content management system. The vulnerability resides in the module upload feature, which processes setup tag values without adequate sanitization or validation. The root cause appears to be improper handling of user-supplied input in template or configuration tags that are passed to code execution routines during module installation or activation. This likely involves unsafe deserialization, direct code inclusion, or eval()-like constructs operating on untrusted setup tag parameters. The vulnerability affects the core module installation mechanism, which typically requires administrative or elevated permissions in most CMS architectures, though the description suggests this may be exploitable through unauthenticated upload channels.
RemediationAI
Upgrade DedeCMS to a patched version released after 5.7.118. Consult the official DedeCMS website (https://www.dedecms.com/) for the latest stable release and installation instructions. As an interim measure, restrict access to the module upload functionality to trusted administrators only, disable the module upload feature entirely if not in active use, and implement strict input validation and Web Application Firewall (WAF) rules to block requests with suspicious setup tag syntax or encoded payloads targeting the upload endpoints. Additionally, audit all currently installed modules for unauthorized or malicious code, and review server logs for evidence of prior exploitation attempts.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17960
GHSA-vc3q-w6jg-xcpj