Description
Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability in the Blocks module.
Published: 2026-04-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated Remote Code Execution
Action: Patch Now
AI Analysis

Impact

An authenticated user can trigger arbitrary code execution through the Blocks module of FuelCMS. The flaw is categorized as CWE-94, indicating a code injection or arbitrary code execution weakness. Exploitation could allow full compromise of the web application and potentially the underlying server, impacting confidentiality, integrity, and availability.

Affected Systems

FuelCMS, version 1.5.2, developed by Daylight Studio. No other vendors or product versions were identified in the CVE data.

Risk and Exploitability

The vulnerability has a CVSS score of 8.8, indicating high severity. The EPSS score is below 1%, suggesting a low probability of exploitation in the wild, and it is not listed in CISA’s KEV catalog. The likely attack vector requires the attacker to possess valid user credentials to access the Blocks module, after which arbitrary PHP code can be executed.

Generated by OpenCVE AI on April 10, 2026 at 11:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FuelCMS to the latest available version that includes the RCE fix
  • If an upgrade is not possible, restrict or disable the Blocks module and limit user permissions
  • Apply an application‑level firewall or security rules to block exploit attempts
  • Continuously monitor server logs and user activity for abnormal behavior

Generated by OpenCVE AI on April 10, 2026 at 11:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Authenticated Remote Code Execution via Blocks Module in FuelCMS 1.5.2

Fri, 10 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Title Authenticated Remote Code Execution via Blocks Module in FuelCMS v1.5.2
Weaknesses CWE-78

Fri, 10 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Thedaylightstudio
Thedaylightstudio fuel Cms
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:thedaylightstudio:fuel_cms:1.5.2:*:*:*:*:*:*:*
Vendors & Products Thedaylightstudio
Thedaylightstudio fuel Cms
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Daylightstudio
Daylightstudio fuel Cms
Vendors & Products Daylightstudio
Daylightstudio fuel Cms

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Authenticated Remote Code Execution via Blocks Module in FuelCMS v1.5.2
Weaknesses CWE-78
CWE-94

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability in the Blocks module.
References

Subscriptions

Daylightstudio Fuel Cms
Thedaylightstudio Fuel Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-09T20:15:50.776Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30460

cve-icon Vulnrichment

Updated: 2026-04-09T18:08:36.034Z

cve-icon NVD

Status : Modified

Published: 2026-04-07T16:16:23.593

Modified: 2026-04-09T21:16:07.977

Link: CVE-2026-30460

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:27:20Z

Weaknesses