uploads/include/dialog/select_soft.php in DedeCMS V57_UTF8_SP2 allows remote attackers to execute arbitrary PHP code by uploading with a safe file extension and then renaming with a mixed-case variation of the .php extension, as demonstrated by the 1.pHP filename.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HDedecms
APPDedecms5.7
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Related vulnerabilities
CVE-2026-30643CRITICAL9.8PL ✓ten sam produkt
DedeCMS 5.7.118 — zdalne wykonanie kodu przez upload modułu (RCE)
CVE-2026-30694CRITICAL9.8PL ✓ten sam produkt
RCE w DedeCMS poprzez komponent array_filter
CVE-2024-35510CRITICAL9.8PL ✓ten sam produkt
DedeCMS – arbitrary file upload umożliwiający RCE
CVE-2024-35375CRITICAL9.8PL ✓ten sam produkt
DedeCMS 5.7.114 — arbitrary file upload w panelu administracyjnym
CVE-2024-33749CRITICAL9.1PL ✓ten sam produkt
DedeCMS – nieautoryzowane usunięcie dowolnego pliku przez mail_file_manage.php