Description
DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability in /sys_task_add.php.
Published: 2026-03-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized administrative actions via CSRF
Action: Patch immediately
AI Analysis

Impact

The vulnerability allows attackers to forge authenticated requests to the sys_task_add.php endpoint. By exploiting it, an attacker can add or modify scheduled tasks within DedeCMS, potentially leading to privilege escalation or preferred actions executed under the authenticated user’s rights. This is identified as a Cross‑Site Request Forgery weakness (CWE‑352).

Affected Systems

DedeCMS version 5.7.118 is affected. No other vendors or product versions have been reported. Users deploying this specific release should consider it compromised until a fix is applied.

Risk and Exploitability

The CVSS score of 8.8 reflects a high severity, while an EPSS score of less than 1% suggests a low probability of widespread exploitation in the near term. The vulnerability is not currently listed in CISA’s KEV catalog. Exploitation likely requires that a target user be authenticated and click a crafted URL or submit a forged request, making it a targeted attack vector. If successful, the attacker could perform privileged operations without being authenticated directly. Monitoring for abnormal task creation and applying a patch remain key defenses.

Generated by OpenCVE AI on March 25, 2026 at 23:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest DedeCMS release that fixes the CSRF issue in sys_task_add.php.
  • If an update is unavailable, restrict direct access to /sys_task_add.php or enforce a CSRF token check before processing requests.
  • Deploy a web application firewall rule that flags and blocks suspicious POST requests to sys_task_add.php.
  • Monitor the platform for unexpected task-creation activity and review logs for unauthorized changes.

Generated by OpenCVE AI on March 25, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title DedeCMS Cross‑Site Request Forgery Enabling Unauthorized Task Creation Cross‑Site Request Forgery in DedeCMS 5.7.118 /sys_task_add.php

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title DedeCMS Cross‑Site Request Forgery Enabling Unauthorized Task Creation

Wed, 25 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:dedecms:dedecms:5.7.118:*:*:*:*:*:*:*

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Dedecms
Dedecms dedecms
Vendors & Products Dedecms
Dedecms dedecms

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability in /sys_task_add.php.
References

Subscriptions

Dedecms Dedecms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-24T17:54:13.568Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29839

cve-icon Vulnrichment

Updated: 2026-03-24T17:52:23.713Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T16:16:30.787

Modified: 2026-03-25T20:53:05.983

Link: CVE-2026-29839

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:20:28Z

Weaknesses