Description
An issue in DedeCMS v.5.7.118 and before allows a remote attacker to execute arbitrary code via the array_filter component
Published: 2026-03-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An issue in DedeCMS versions 5.7.118 and earlier allows a remote attacker to execute arbitrary code by exploiting the array_filter component. This flaw is classified as code injection (CWE‑94) and can be used to run malicious code on the server hosting the CMS.

Affected Systems

The affected product is DedeCMS, specifically any release at or below version 5.7.118. Systems running these versions remain vulnerable; newer releases are not known to be affected.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, and the EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack can be performed remotely via the CMS’s web interface, likely by sending specially crafted requests that trigger the array_filter component.

Generated by OpenCVE AI on March 26, 2026 at 00:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update DedeCMS to the latest version (≥5.7.119) to eliminate the vulnerability.
  • If an immediate upgrade is not possible, isolate the vulnerable system from the internet and monitor for suspicious activity.
  • Verify that no custom scripts or patches modify array_filter behavior.
  • Check for additional security updates from the vendor and apply them promptly.

Generated by OpenCVE AI on March 26, 2026 at 00:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via array_filter in DedeCMS v5.7.118 and Earlier

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:dedecms:dedecms:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Dedecms
Dedecms dedecms
Vendors & Products Dedecms
Dedecms dedecms

Thu, 19 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description An issue in DedeCMS v.5.7.118 and before allows a remote attacker to execute arbitrary code via the array_filter component
References

Subscriptions

Dedecms Dedecms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-24T01:30:03.735Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30694

cve-icon Vulnrichment

Updated: 2026-03-24T01:29:57.923Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T18:16:22.400

Modified: 2026-03-25T21:11:32.933

Link: CVE-2026-30694

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:20:46Z

Weaknesses