Skip to main content

DreamMaker EUVDEUVD-2026-33288

| CVE-2026-10071 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-05-29 twcert GHSA-hwhj-v6qm-whw2
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 29, 2026 - 13:28 vuln.today
v3 (cvss_changed)
Analysis Updated
May 29, 2026 - 13:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 29, 2026 - 13:22 vuln.today
cvss_changed
CVSS changed
May 29, 2026 - 13:22 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
May 29, 2026 - 13:20 vuln.today

DescriptionCVE.org

DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

AnalysisAI

Unauthenticated arbitrary file upload in Interinfo DreamMaker allows remote attackers to upload web shell backdoors and execute arbitrary code on the server, scoring CVSS 4.0 9.3 (Critical). No public exploit identified at time of analysis, but the combination of no authentication, low attack complexity, and complete CIA impact makes this a high-priority issue. TWCERT (Taiwan's national CERT) is the reporting source, indicating regional advisory coordination.

Technical ContextAI

DreamMaker is a product developed by Interinfo, a Taiwanese software vendor; the affected CPE is cpe:2.3:a:interinfo:dreammaker covering all versions per the available data. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), in which the application's file upload handler fails to validate file extension, MIME type, or content before persisting attacker-supplied files into a web-accessible directory. Once a server-side script (e.g., a JSP/ASPX/PHP web shell, depending on the application stack) lands in an executable path, the web server interprets it on subsequent HTTP requests, giving the attacker an interactive command channel under the privileges of the web service account.

RemediationAI

Patch availability is not explicitly stated in the provided intelligence, so treat this as 'Patch available per vendor advisory' and consult the TWCERT bulletins at https://www.twcert.org.tw/tw/cp-132-10943-8fb00-1.html and https://www.twcert.org.tw/en/cp-139-10946-1127f-2.html for the exact fixed version from Interinfo. Until the vendor-supplied update is applied, compensating controls include restricting network reachability of the DreamMaker upload endpoints to trusted internal ranges via firewall/WAF (trade-off: breaks legitimate external uploads), deploying a WAF rule that blocks multipart POSTs containing executable extensions (.jsp, .asp, .aspx, .php, .jspx) or known web shell signatures to the upload URI (trade-off: signature evasion is possible), revoking write/execute permissions on the upload destination directory at the filesystem level so dropped files cannot be interpreted by the web server (trade-off: may break application features that re-serve uploaded content), and monitoring the upload directory for new server-executable files with file integrity monitoring.

Share

EUVD-2026-33288 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy