CVE-2026-30457 - Vulnerability Details

Description

An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to execute arbitrary code via crafted PHP code.

Published: 2026-03-26

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Dwoo parser component of FuelCMS permits an attacker to inject and execute arbitrary PHP code. This vulnerability is a classic code‑execution weakness (CWE‑94). If exploited, an attacker could gain full control over the affected web server, read sensitive data, modify files, or pivot to other systems within the network, jeopardizing confidentiality, integrity, and availability of the application and any underlying infrastructure.

Affected Systems

The vulnerability resides in Daylight Studio FuelCMS version 1.5.2 and the Dwoo library version 1.1.0. Administrators managing these versions of FuelCMS should verify that they are not using the default parser configuration that permits untrusted PHP code rendering.

Risk and Exploitability

The CVSS score of 9.8 indicates high severity, and the EPSS score (<1%) suggests low current exploit probability, although the lack of a known exploitation example does not diminish the risk. The vulnerability is not listed in the CISA KEV catalog yet, meaning it may be a new or under‑reported issue. Based on the description, the likely attack vector is remote via the web interface that processes user input through the Dwoo parser, allowing crafted PHP code to be embedded and executed on the server.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:thedaylightstudio:dwoo:1.1.0:::::::*
	cpe:2.3:a:thedaylightstudio:fuel_cms:1.5.2:::::::*

No data.

Vendor Product Confidence Versions

Daylightstudio

Fuel Cms

80%

Version	Status	Scheme	Platform
`1.5.2`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest official FuelCMS patch or upgrade to a version that addresses the Dwoo parsing issue.
If an upgrade is not immediately possible, disable or remove the Dwoo parser module and ensure no user–controlled data is passed to any PHP template engine.
Audit the application for any usages of eval, create_function, or similar dynamic code execution patterns and eliminate them.
Monitor logs for anomalous PHP code execution attempts and alert on suspicious activity.

Generated by OpenCVE AI on March 30, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00071.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
http://daylight.com
http://fuelcms.com
https://github.com/daylightstudio/FUEL-CMS/tree/master/fuel/modules/fuel/libraries/parser/dwoo
https://pentest-tools.com/PTT-2025-026-PHP-Code-Execution-Via-Dwoo-Escape.pdf

History

Tue, 31 Mar 2026 03:00:00 +0000

Type	Values Removed	Values Added
Title	Remote PHP Code Execution via Dwoo Parser in FuelCMS

Mon, 30 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Thedaylightstudio Thedaylightstudio dwoo Thedaylightstudio fuel Cms
CPEs		cpe:2.3:a:thedaylightstudio:dwoo:1.1.0:::::::* cpe:2.3:a:thedaylightstudio:fuel_cms:1.5.2:::::::*
Vendors & Products		Thedaylightstudio Thedaylightstudio dwoo Thedaylightstudio fuel Cms

Sun, 29 Mar 2026 20:45:00 +0000

Type	Values Removed	Values Added
Title		Remote PHP Code Execution via Dwoo Parser in FuelCMS

Sat, 28 Mar 2026 03:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-94
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 27 Mar 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Daylightstudio Daylightstudio fuel Cms
Vendors & Products		Daylightstudio Daylightstudio fuel Cms

Thu, 26 Mar 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to execute arbitrary code via crafted PHP code.
References		http://daylight.com http://fuelcms.com https://github.com/daylightstudio/FUEL-CMS/tree/master/fuel/modules/fuel/libraries/parser/dwoo https://pentest-tools.com/PTT-2025-026-PHP-Code-Execution-Via-Dwoo-Escape.pdf

Subscriptions

Daylightstudio Fuel Cms

Thedaylightstudio Dwoo Fuel Cms

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-03-26T00:00:00.000Z

Updated: 2026-03-28T01:57:48.991Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30457

Vulnrichment

Updated: 2026-03-28T01:57:43.322Z

NVD

Status : Analyzed

Published: 2026-03-26T19:16:59.900

Modified: 2026-03-30T14:11:06.703

Link: CVE-2026-30457

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-30T20:57:49Z

Weaknesses

CWE-94

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object