Description
An unrestricted upload of file with dangerous type vulnerability in the file upload function of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to execute arbitrary system commands via a malicious class file.
Published: 2026-01-30
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An attacker can upload a file of a dangerous type to the file upload function of Interinfo DreamMaker. The file is treated as a legitimate class file and executed by the system, allowing the attacker to run arbitrary system commands. The weakness is identified as CWE‑434, which indicates a failure to restrict the type and usage of uploaded data.

Affected Systems

Internet Information Co., Ltd. DreamMaker versions released prior to October 22, 2025 are affected by this flaw. No specific build numbers are listed, so all instances before that date fall within the impacted scope.

Risk and Exploitability

The flaw carries a CVSS score of 10, marking it as critical. The EPSS score is less than 1%, suggesting that, while the vulnerability is severe, its exploitation probability is relatively low at present. It has not been added to the CISA KEV catalog. Attackers can exploit the vulnerability remotely by simply uploading a crafted file; no special configuration or local privilege is required. Because the flaw permits arbitrary command execution, its exploit would provide full control over the affected system, with potential breach of confidentiality, integrity, and availability.

Generated by OpenCVE AI on April 18, 2026 at 01:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch or upgrade DreamMaker to a version released on or after October 22, 2025.
  • Configure the web application to reject all non‑essential file types and enforce a strict whitelist of allowed extensions for uploads.
  • Implement server‑side validation to confirm that uploaded files match expected signatures or MIME types before processing.

Generated by OpenCVE AI on April 18, 2026 at 01:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://zuso.ai/advisory/za-2026-02 cve-icon cve-icon
History

Fri, 30 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Interinfo
Interinfo dreammaker
Vendors & Products Interinfo
Interinfo dreammaker

Fri, 30 Jan 2026 04:30:00 +0000

Type Values Removed Values Added
Description An unrestricted upload of file with dangerous type vulnerability in the file upload function of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to execute arbitrary system commands via a malicious class file.
Title Interinfo DreamMaker - Unrestricted Upload of File with Dangerous Type
Weaknesses CWE-434
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Interinfo Dreammaker
cve-icon MITRE

Status: PUBLISHED

Assigner: ZUSO ART

Published:

Updated: 2026-01-30T18:06:51.293Z

Reserved: 2026-01-26T07:42:53.160Z

Link: CVE-2026-24729

cve-icon Vulnrichment

Updated: 2026-01-30T18:06:47.126Z

cve-icon NVD

Status : Deferred

Published: 2026-01-30T05:16:33.490

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24729

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:15:05Z

Weaknesses