Is there a public PoC exploit available for EUVD-2026-36793?

Yes, a public proof-of-concept exploit is available for EUVD-2026-36793. Prioritise patching immediately. EPSS: 0.4%.

Discuz! X5.0 EUVD-2026-36793

Q: What is the CVSS score of EUVD-2026-36793?

EUVD-2026-36793 has a CVSS 4.0 base score of 6.9 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.4%.

| CVE-2026-49953 MEDIUM

Guessable CAPTCHA (CWE-804)

2026-06-15 VulnCheck

GHSA-p3qj-vw7q-v9pc

Authentication Bypass Discuz X5 0

6.9

CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY

6.9 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

6.5 MEDIUM

Network-accessible unauthenticated bypass (AV:N/PR:N/AC:L) with limited confidentiality and integrity impact on protected endpoints; no availability impact and scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Jun 15, 2026 - 19:58 vuln.today

DescriptionCVE.org

Discuz! X5.0 releases 20260320 through 20260501 contains a CAPTCHA bypass vulnerability that allows unauthenticated remote attackers to defeat challenge controls by exploiting limited complexity and predictable character sets in generated CAPTCHA images. Attackers can train a custom optical character recognition model against collected CAPTCHA samples to reliably predict challenge text, bypassing protections on login, registration, and other functionality from automated abuse.

AnalysisAI

CAPTCHA challenge controls in Discuz! X5.0 (releases 20260320-20260501) can be reliably defeated by unauthenticated remote attackers who harvest samples from exposed forum endpoints and train a custom optical character recognition model to predict challenge text. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify internet-facing Discuz! X5.0 forum

Delivery

Harvest CAPTCHA images via unauthenticated HTTP requests

Exploit

Train custom OCR model on collected samples

Execution

Automate CAPTCHA solutions to bypass login and registration controls

Persist

Perform credential stuffing or mass account registration

Impact

Chain with race condition vulnerability to achieve remote code execution