Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
AnalysisAI
Unauthenticated arbitrary file upload in Interinfo DreamMaker allows remote attackers to upload web shell backdoors and execute arbitrary code on the server, scoring CVSS 4.0 9.3 (Critical). No public exploit identified at time of analysis, but the combination of no authentication, low attack complexity, and complete CIA impact makes this a high-priority issue. TWCERT (Taiwan's national CERT) is the reporting source, indicating regional advisory coordination.
Technical ContextAI
DreamMaker is a product developed by Interinfo, a Taiwanese software vendor; the affected CPE is cpe:2.3:a:interinfo:dreammaker covering all versions per the available data. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), in which the application's file upload handler fails to validate file extension, MIME type, or content before persisting attacker-supplied files into a web-accessible directory. Once a server-side script (e.g., a JSP/ASPX/PHP web shell, depending on the application stack) lands in an executable path, the web server interprets it on subsequent HTTP requests, giving the attacker an interactive command channel under the privileges of the web service account.
RemediationAI
Patch availability is not explicitly stated in the provided intelligence, so treat this as 'Patch available per vendor advisory' and consult the TWCERT bulletins at https://www.twcert.org.tw/tw/cp-132-10943-8fb00-1.html and https://www.twcert.org.tw/en/cp-139-10946-1127f-2.html for the exact fixed version from Interinfo. Until the vendor-supplied update is applied, compensating controls include restricting network reachability of the DreamMaker upload endpoints to trusted internal ranges via firewall/WAF (trade-off: breaks legitimate external uploads), deploying a WAF rule that blocks multipart POSTs containing executable extensions (.jsp, .asp, .aspx, .php, .jspx) or known web shell signatures to the upload URI (trade-off: signature evasion is possible), revoking write/execute permissions on the upload destination directory at the filesystem level so dropped files cannot be interpreted by the web server (trade-off: may break application features that re-serve uploaded content), and monitoring the upload directory for new server-executable files with file integrity monitoring.
More in Dreammaker
View allArbitrary file read in Interinfo DreamMaker allows remote unauthenticated attackers to retrieve sensitive system files b
Arbitrary file upload in Interinfo DreamMaker allows authenticated high-privilege remote attackers to upload web shell b
Absolute Path Traversal in DreamMaker (developed by Interinfo) allows unauthenticated remote attackers to enumerate file
Arbitrary file read in Interinfo's DreamMaker application allows privileged attackers to traverse relative path boundari
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33288
GHSA-hwhj-v6qm-whw2