Description
A security flaw has been discovered in DedeCMS 5.7.88. This affects the function RemoveXSS of the file /plus/carbuyaction.php. The manipulation of the argument postname/des results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-06-02
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a SQL injection in the RemoveXSS function of DedeCMS 5.7.88's /plus/carbuyaction.php, caused by unsanitized handling of the postname/des argument. This error arises from improper input validation (CWE-74) and allows an attacker to inject arbitrary SQL commands that are executed against the database, enabling read, modification, or deletion of sensitive data.

Affected Systems

The vulnerability affects DedeCMS version 5.7.88, specifically the RemoveXSS routine in carbuyaction.php. No other versions or products are listed as affected.

Risk and Exploitability

With a CVSS score of 6.9 the risk is classified as medium. Attackers can reach the vulnerable endpoint remotely; exploit code has been publicly released, so exploitation probability is non‑zero. The vulnerability is not in the CISA KEV catalog but could be used by threat actors. The lack of EPSS data suggests no current widespread targeting, yet the presence of a public exploit means the risk remains moderate to high for unpatched installations.

Generated by OpenCVE AI on June 3, 2026 at 03:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update DedeCMS to the latest version that contains the fix for the RemoveXSS vulnerability.
  • Sanitize all input to the postname/des parameters and use parameterized queries to prevent SQL injection (CWE-89).
  • Deploy a web application firewall or similar security controls to detect and block SQL injection attempts on /plus/carbuyaction.php.

Generated by OpenCVE AI on June 3, 2026 at 03:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in DedeCMS 5.7.88. This affects the function RemoveXSS of the file /plus/carbuyaction.php. The manipulation of the argument postname/des results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
Title DedeCMS carbuyaction.php RemoveXSS sql injection
First Time appeared Dedecms
Dedecms dedecms
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:dedecms:dedecms:*:*:*:*:*:*:*:*
Vendors & Products Dedecms
Dedecms dedecms
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Dedecms Dedecms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-02T18:00:10.772Z

Reserved: 2026-06-02T11:30:16.079Z

Link: CVE-2026-10608

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-02T20:16:32.183

Modified: 2026-06-02T20:16:32.183

Link: CVE-2026-10608

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:00:13Z

Weaknesses