Skip to main content

DedeCMS EUVDEUVD-2026-17960

| CVE-2026-30643 CRITICAL
Code Injection (CWE-94)
2026-04-01 mitre GHSA-vc3q-w6jg-xcpj
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 01, 2026 - 17:30 euvd
EUVD-2026-17960
Analysis Generated
Apr 01, 2026 - 17:30 vuln.today
CVE Published
Apr 01, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

An issue was discovered in DedeCMS 5.7.118 allowing attackers to execute code via crafted setup tag values in a module upload.

AnalysisAI

Remote code execution in DedeCMS 5.7.118 allows unauthenticated attackers to execute arbitrary code through crafted setup tag values during module upload operations. The vulnerability exploits insufficient input validation in the module upload functionality, enabling direct code injection. No CVSS score, EPSS data, or KEV confirmation is available; however, the presence of a public proof-of-concept demonstrates practical exploitability.

Technical ContextAI

DedeCMS is a PHP-based content management system. The vulnerability resides in the module upload feature, which processes setup tag values without adequate sanitization or validation. The root cause appears to be improper handling of user-supplied input in template or configuration tags that are passed to code execution routines during module installation or activation. This likely involves unsafe deserialization, direct code inclusion, or eval()-like constructs operating on untrusted setup tag parameters. The vulnerability affects the core module installation mechanism, which typically requires administrative or elevated permissions in most CMS architectures, though the description suggests this may be exploitable through unauthenticated upload channels.

RemediationAI

Upgrade DedeCMS to a patched version released after 5.7.118. Consult the official DedeCMS website (https://www.dedecms.com/) for the latest stable release and installation instructions. As an interim measure, restrict access to the module upload functionality to trusted administrators only, disable the module upload feature entirely if not in active use, and implement strict input validation and Web Application Firewall (WAF) rules to block requests with suspicious setup tag syntax or encoded payloads targeting the upload endpoints. Additionally, audit all currently installed modules for unauthorized or malicious code, and review server logs for evidence of prior exploitation attempts.

Share

EUVD-2026-17960 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy