Description
A vulnerability was determined in DedeCMS 5.7.88. The affected element is the function TrimMsg of the file /plus/feedback.php of the component Feedback Handler. Executing a manipulation of the argument msg can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-06-02
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the TrimMsg function of the /plus/feedback.php component of DedeCMS. By supplying a crafted msg parameter, an attacker can inject arbitrary SQL code, potentially reading, modifying, or deleting database records. This flaw is a classic injection weakness (CWE-89). The vulnerability is exploitable from any remotely reachable system that hosts the affected software.

Affected Systems

DedeCMS version 5.7.88 is affected by this SQL injection. No other product versions are currently listed as vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. EPSS information is unavailable, and the issue is not listed in the CISA KEV catalog, suggesting the exploitation probability is not currently quantified. However, the vulnerability can be launched remotely and has been publicly disclosed, implying a realistic threat of exploitation if not mitigated.

Generated by OpenCVE AI on June 2, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest available version of DedeCMS that contains the patch for the feedback.php SQL injection
  • If an update cannot be applied promptly, restrict external access to the feedback feature using firewall rules or web‑application firewalls to limit exposure
  • Modify the msg input handling to use parameterized queries or proper escaping to prevent injection, addressing the root CWE-89 weakness

Generated by OpenCVE AI on June 2, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in DedeCMS 5.7.88. The affected element is the function TrimMsg of the file /plus/feedback.php of the component Feedback Handler. Executing a manipulation of the argument msg can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.
Title DedeCMS Feedback feedback.php TrimMsg sql injection
First Time appeared Dedecms
Dedecms dedecms
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:dedecms:dedecms:*:*:*:*:*:*:*:*
Vendors & Products Dedecms
Dedecms dedecms
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Dedecms Dedecms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-02T17:32:47.756Z

Reserved: 2026-06-02T11:30:10.504Z

Link: CVE-2026-10606

cve-icon Vulnrichment

Updated: 2026-06-02T17:32:33.356Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T17:16:26.730

Modified: 2026-06-02T17:19:29.070

Link: CVE-2026-10606

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T18:30:15Z

Weaknesses