CVE-2026-30461 - Vulnerability Details

- Authenticated Remote Code Execution in FuelCMS via Git Submodule Function

Description

Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule.

Published: 2026-04-15

Score: 8.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Daylight Studio FuelCMS version 1.5.2 contains an authenticated remote code execution flaw in the Installer controller’s add_git_submodule function. Because the function uses user input to drive git commands, an attacker who authenticates to the application can trigger arbitrary code execution on the host. The vulnerability aligns with automated code execution weaknesses such as CWE‑77 command injection, where malicious input controls system commands.

Affected Systems

The only affected product documented in the CVE entry is Daylight Studio FuelCMS version 1.5.2; no additional vendor or product variations are listed.

Risk and Exploitability

The flaw requires valid credentials for exploitation, meaning an attacker must first authenticate to the application. Once authenticated, the exploit can be performed by sending a crafted request to the /controllers/Installer.php endpoint that calls add_git_submodule. The CVSS score of 8.3 marks it as a high‑severity remote code execution vulnerability, while the EPSS score of less than 1% indicates a very low likelihood of exploitation. It is not listed in CISA’s Known Exploited Vulnerabilities catalog, so no immediate public exploitation evidence exists.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:thedaylightstudio:fuel_cms:1.5.2:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Daylightstudio

Fuel Cms

80%

Version	Status	Scheme	Platform
`1.5.2`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Restrict all access to the /controllers/Installer.php endpoint so that only trusted administrators can reach it, or remove that route entirely.
Remove or disable the add_git_submodule function from the application code base, ensuring no other entry points allow similar code execution.
Check the vendor’s website or repository for an updated FuelCMS release that addresses this flaw, and upgrade the installation to a patched version if available.

Generated by OpenCVE AI on April 17, 2026 at 10:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00328.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
http://daylight.com
http://fuelcms.com
https://github.com/daylightstudio/FUEL-CMS/blob/master/fuel/modules/fuel/controllers/Installer.php
https://pentest-tools.com/PTT-2025-028-Authenticated-RCE-via-Git-Submodules.pdf

History

Mon, 20 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Thedaylightstudio Thedaylightstudio fuel Cms
CPEs		cpe:2.3:a:thedaylightstudio:fuel_cms:1.5.2:::::::*
Vendors & Products		Thedaylightstudio Thedaylightstudio fuel Cms

Fri, 17 Apr 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 17 Apr 2026 11:15:00 +0000

Type	Values Removed	Values Added
Title		Authenticated Remote Code Execution in FuelCMS via Git Submodule Function

Fri, 17 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
Title	Authenticated Remote Code Execution via Git Submodule Function in FuelCMS Installer
Weaknesses	CWE-94

Thu, 16 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-77
Metrics		cvssV3_1 `{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}`

Wed, 15 Apr 2026 22:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Daylightstudio Daylightstudio fuel Cms
Vendors & Products		Daylightstudio Daylightstudio fuel Cms

Wed, 15 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
Title		Authenticated Remote Code Execution via Git Submodule Function in FuelCMS Installer
Weaknesses		CWE-94

Wed, 15 Apr 2026 16:00:00 +0000

Type	Values Removed	Values Added
Description		Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule.
References		http://daylight.com http://fuelcms.com https://github.com/daylightstudio/FUEL-CMS/blob/master/fuel/modules/fuel/controllers/Installer.php https://pentest-tools.com/PTT-2025-028-Authenticated-RCE-via-Git-Submodules.pdf

Subscriptions

Daylightstudio Fuel Cms

Thedaylightstudio Fuel Cms

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-15T00:00:00.000Z

Updated: 2026-04-16T14:02:08.595Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30461

Vulnrichment

Updated: 2026-04-16T14:02:01.709Z

NVD

Status : Analyzed

Published: 2026-04-15T16:16:36.050

Modified: 2026-04-20T20:16:44.150

Link: CVE-2026-30461

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T11:00:13Z

Weaknesses

CWE-77

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object