Discuz X5 0
Monthly
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a path traversal flaw in the plugin import routine with file upload functionality to run arbitrary PHP as the web server user. Publicly available exploit code exists (published by Karma Insecurity / VulnCheck) demonstrating a race-condition-assisted bypass of sanitization, but the issue is not listed in CISA KEV and no public EPSS signal was provided. The high PR:H requirement limits attackers to those already holding administrator credentials or able to obtain them.
CAPTCHA challenge controls in Discuz! X5.0 (releases 20260320-20260501) can be reliably defeated by unauthenticated remote attackers who harvest samples from exposed forum endpoints and train a custom optical character recognition model to predict challenge text. The underlying weakness - CWE-804 - stems from a limited, predictable character set and insufficient visual distortion in generated images, enabling automation of login, registration, and other abuse-protected flows. Critically, a publicly available exploit exists and KarmaInsecurity has documented chaining this bypass with a race condition to achieve full remote code execution, substantially elevating practical risk beyond the standalone CVSS 4.0 score of 6.9.
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to access database backup and restore functionality exposed by dbbak.php. The flaw stems from a shared cryptographic key (CWE-323) between UCenter integration and the backup API, which lets an attacker abuse an encryption oracle in logging_ctl::logging_more() to mint legitimately signed authorization tokens, and chain a race condition to impersonate arbitrary users. Publicly available exploit code exists and an upstream fix has been published on Gitee.
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a path traversal flaw in the plugin import routine with file upload functionality to run arbitrary PHP as the web server user. Publicly available exploit code exists (published by Karma Insecurity / VulnCheck) demonstrating a race-condition-assisted bypass of sanitization, but the issue is not listed in CISA KEV and no public EPSS signal was provided. The high PR:H requirement limits attackers to those already holding administrator credentials or able to obtain them.
CAPTCHA challenge controls in Discuz! X5.0 (releases 20260320-20260501) can be reliably defeated by unauthenticated remote attackers who harvest samples from exposed forum endpoints and train a custom optical character recognition model to predict challenge text. The underlying weakness - CWE-804 - stems from a limited, predictable character set and insufficient visual distortion in generated images, enabling automation of login, registration, and other abuse-protected flows. Critically, a publicly available exploit exists and KarmaInsecurity has documented chaining this bypass with a race condition to achieve full remote code execution, substantially elevating practical risk beyond the standalone CVSS 4.0 score of 6.9.
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to access database backup and restore functionality exposed by dbbak.php. The flaw stems from a shared cryptographic key (CWE-323) between UCenter integration and the backup API, which lets an attacker abuse an encryption oracle in logging_ctl::logging_more() to mint legitimately signed authorization tokens, and chain a race condition to impersonate arbitrary users. Publicly available exploit code exists and an upstream fix has been published on Gitee.