Description
DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
Published: 2026-05-29
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

DreamMaker, produced by Interinfo, has an arbitrary file upload flaw that allows privileged remote attackers to upload web shell backdoors. By placing an executable file on the server through the upload mechanism, an attacker can then run that code, effectively gaining full control of the affected system.

Affected Systems

All installations of Interinfo DreamMaker are potentially impacted, especially those that have not applied the latest update. No specific version list is provided, so all product releases should be reviewed for the applied security patch.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.6, indicating a high severity level. Because the upload functionality is exposed remotely without additional authentication in the description, the likelihood of exploitation is significant. Although EPSS data is not available, the presence of a remote, privileged upload path suggests a realistic attack vector. The issue is not listed in CISA’s KEV catalog, but the high CVSS score and nature of the flaw warrant urgent attention.

Generated by OpenCVE AI on May 29, 2026 at 15:22 UTC.

Remediation

Vendor Solution

Update to version Java Composer 2.3 or later

OpenCVE Recommended Actions

  • Apply the vendor’s official patch to move to Java Composer 2.3 or later.
  • Disable or tightly restrict the arbitrary file upload feature, ensuring that only trusted users can upload files and that uploads are validated and stored outside the web root.
  • Implement monitoring of web server logs and file system changes to detect any unauthorized uploads or execution of web shells.

Generated by OpenCVE AI on May 29, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Interinfo
Interinfo dreammaker
Vendors & Products Interinfo
Interinfo dreammaker

Fri, 29 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
Title Interinfo|DreamMaker - Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Interinfo Dreammaker
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-05-29T15:27:39.886Z

Reserved: 2026-05-29T08:39:07.153Z

Link: CVE-2026-10072

cve-icon Vulnrichment

Updated: 2026-05-29T15:27:36.801Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T14:16:25.817

Modified: 2026-05-29T15:11:03.853

Link: CVE-2026-10072

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:30:04Z

Weaknesses