Description
A vulnerability was identified in DedeCMS 5.7.88. The impacted element is the function dede_htmlspecialchars of the file /plus/flink.php. The manipulation of the argument msg leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used.
Published: 2026-06-02
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in DedeCMS 5.7.88’s dede_htmlspecialchars function within the /plus/flink.php file allows an attacker to manipulate the msg argument and inject arbitrary SQL statements. The injection can be executed from a remote source, potentially granting the attacker the ability to read, modify, or delete database contents, thereby compromising data confidentiality and integrity.

Affected Systems

All hosts running DedeCMS 5.7.88 are vulnerable. This includes installations that expose the /plus/flink.php endpoint, which is reachable by unauthenticated external users.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.9, indicating a moderate to high severity. Although no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, the public release of an exploit and the remote nature of the attack vector elevate the risk for exposed systems. An attacker who can reach the vulnerable endpoint can inject SQL and extract or alter data without requiring authentication.

Generated by OpenCVE AI on June 3, 2026 at 03:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DedeCMS to the latest secure release that contains a fix for the dede_htmlspecialchars injection issue.
  • Configure web server or application firewall rules to block or tightly restrict unauthenticated requests to /plus/flink.php, reducing exposure until a patch is applied.
  • Enforce stricter input validation or implement parameterized queries for the msg parameter to mitigate injection risk if the patch cannot be applied immediately.

Generated by OpenCVE AI on June 3, 2026 at 03:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in DedeCMS 5.7.88. The impacted element is the function dede_htmlspecialchars of the file /plus/flink.php. The manipulation of the argument msg leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used.
Title DedeCMS flink.php dede_htmlspecialchars sql injection
First Time appeared Dedecms
Dedecms dedecms
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:dedecms:dedecms:*:*:*:*:*:*:*:*
Vendors & Products Dedecms
Dedecms dedecms
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Dedecms Dedecms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-02T17:45:05.451Z

Reserved: 2026-06-02T11:30:13.498Z

Link: CVE-2026-10607

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-02T20:16:32.020

Modified: 2026-06-02T20:16:32.020

Link: CVE-2026-10607

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:00:13Z

Weaknesses