CRITICAL🇵🇱 Wersja polska

CVE-2026-30643

CVSS 9.8v3.1pub. 2026-04-01upd. 2026-04-06

An issue was discovered in DedeCMS 5.7.118 allowing attackers to execute code via crafted setup tag values in a module upload.

🤖 AI Analysis
How it works

The vulnerability exploits the module upload mechanism in DedeCMS. An attacker can deliver a crafted module containing malicious tag values (setup tag values), which are then interpreted and executed by the application without proper validation. The lack of input sanitization leads to arbitrary code execution on the server side. The attack vector is network-based, requires no authentication or user interaction, making this vulnerability particularly dangerous.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code remotely (RCE) on the server, which can lead to complete system compromise, data theft, backdoor installation, or further lateral movement within the infrastructure.

Mitigation & patch

Apply patches available from the vendor according to the references. It is recommended to monitor updates on the official vendor website (dedecms.com) and — until the patch is deployed — restrict access to the module upload functionality exclusively to trusted, authenticated users, preferably at the firewall or network access control level.

Who is affected

DedeCMS version 5.7.118

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Dedecms

    APP
    Dedecms
    ≤ 5.7.118
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-30694CRITICAL9.8PL ✓ten sam produkt

RCE w DedeCMS poprzez komponent array_filter

CVE-2024-35510CRITICAL9.8PL ✓ten sam produkt

DedeCMS – arbitrary file upload umożliwiający RCE

CVE-2024-35375CRITICAL9.8PL ✓ten sam produkt

DedeCMS 5.7.114 — arbitrary file upload w panelu administracyjnym

CVE-2024-33749CRITICAL9.1PL ✓ten sam produkt

DedeCMS – nieautoryzowane usunięcie dowolnego pliku przez mail_file_manage.php

CVE-2024-29661CRITICAL9.8PL ✓ten sam produkt

Krytyczne RCE przez File Upload w DedeCMS v5.7