Description
An issue was discovered in DedeCMS 5.7.118 allowing attackers to execute code via crafted setup tag values in a module upload.
Published: 2026-04-01
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via injection in module upload setup tags
Action: Immediate Patch
AI Analysis

Impact

An attacker can upload a module to DedeCMS and manipulate the setup tag values to inject and execute arbitrary code. The flaw, classified as a code injection (CWE‑94), allows full control over the web application once the upload is processed, leading to compromise of confidentiality, integrity, and availability.

Affected Systems

The issue impacts DedeCMS content‑management system version 5.7.118. Only installations running that exact version are confirmed vulnerable.

Risk and Exploitability

With a CVSS score of 9.8 the vulnerability is of critical severity. The EPSS score of less than 1% indicates that exploit activity is currently low and the flaw is not listed in the CISA KEV catalog. The likely attack vector is the web interface’s module upload feature, where insecure handling of setup tags permits code injection. No public exploit code is known, but the nature of the flaw would allow a malicious actor to execute arbitrary commands once a malicious upload is successfully processed.

Generated by OpenCVE AI on April 6, 2026 at 17:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DedeCMS to the latest patched release that removes the injection flaw
  • If the module upload feature is not required, disable or restrict it to prevent exploitation
  • Monitor web‑application logs for unusual upload activity or signs of code execution

Generated by OpenCVE AI on April 6, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title DedeCMS 5.7.118 Code Injection via Module Upload Setup Tags

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:dedecms:dedecms:*:*:*:*:*:*:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title DedeCMS 5.7.118 Code Injection via Module Upload Setup Tags
First Time appeared Dedecms
Dedecms dedecms
Vendors & Products Dedecms
Dedecms dedecms

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description An issue was discovered in DedeCMS 5.7.118 allowing attackers to execute code via crafted setup tag values in a module upload.
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Dedecms Dedecms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-01T18:14:10.109Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30643

cve-icon Vulnrichment

Updated: 2026-04-01T18:11:03.749Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T17:28:39.003

Modified: 2026-04-06T15:29:18.880

Link: CVE-2026-30643

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:07:43Z

Weaknesses