Description
Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule.
Published: 2026-04-15
Score: n/a
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Assess Impact
AI Analysis

Impact

Daylight Studio FuelCMS version 1.5.2 contains an authenticated remote code execution flaw in the Installer controller’s add_git_submodule function. Because the function accepts user input that can influence the execution of git commands, an attacker who authenticates to the application can trigger arbitrary code execution on the host. The weakness aligns with automated code execution vulnerabilities as defined in CWE‑94, where malicious input leads to compromised execution flow.

Affected Systems

The only affected product listed is Daylight Studio FuelCMS version 1.5.2. No additional vendor or product variations are documented in the CVE entry.

Risk and Exploitability

The vulnerability is authenticated, meaning an attacker must first gain valid credentials for the application. Once authenticated, the exploit can be performed by sending a crafted request to the /controllers/Installer.php endpoint that invokes add_git_submodule. Because no EPSS score is available and the CISA Known Exploited Vulnerabilities catalog does not list the issue, the publicly measured likelihood of exploitation is unknown. The CVSS metric, if provided elsewhere, would rate it as high due to remote code execution, but the lack of additional data suggests relying on the authenticated nature to gauge operational risk.

Generated by OpenCVE AI on April 15, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict all access to the /controllers/Installer.php endpoint so that only trusted administrators can reach it, or remove that route entirely.
  • Remove or disable the add_git_submodule function from the application code base, ensuring no other entry points allow similar code execution.
  • Check the vendor’s website or repository for an updated FuelCMS release that addresses this flaw, and upgrade the installation to a patched version if available.

Generated by OpenCVE AI on April 15, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Daylightstudio
Daylightstudio fuel Cms
Vendors & Products Daylightstudio
Daylightstudio fuel Cms

Wed, 15 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Title Authenticated Remote Code Execution via Git Submodule Function in FuelCMS Installer
Weaknesses CWE-94

Wed, 15 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule.
References

Subscriptions

Daylightstudio Fuel Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-15T15:37:12.754Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30461

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-15T16:16:36.050

Modified: 2026-04-15T16:16:36.050

Link: CVE-2026-30461

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:00:06Z

Weaknesses