Description
DedeCMS V5.7.118 is vulnerable to Command Execution in file_manage_control.php.
Published: 2026-06-09
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

DedeCMS version 5.7.118 contains a flaw in the file_manage_control.php script that allows an attacker to craft requests that result in arbitrary operating‑system command execution. This weakness is a classic example of command injection. The description does not specify authentication requirements, so it is inferred that an attacker would need to send crafted requests to any user able to reach the vulnerable endpoint. Such a compromise would grant the attacker the ability to execute any shell command with the permissions of the web server process.

Affected Systems

The vulnerability affects the DedeCMS web content management system, specifically the 5.7.118 release. No other versions are listed as affected, so systems running earlier or later releases are presumed unaffected, but this should be verified against vendor advisories.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity. The description indicates that command execution is possible via crafted requests to the vulnerable file_manage_control.php endpoint. It is not explicitly stated whether authentication is required; it is inferred that unrestricted access to the endpoint could allow exploitation. The risk remains high in environments where the application is publicly accessible, and the EPSS score of less than 1% suggests a low but non‑zero probability of exploitation. Attackers would likely use crafted HTTP requests to invoke filesystem commands, exploiting any insufficient input validation.

Generated by OpenCVE AI on June 10, 2026 at 16:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DedeCMS to a patched release where the command execution bug is resolved.
  • Disable the file_manage_control.php endpoint or restrict its access through web server configuration (e.g., deny all but administrators).
  • Configure PHP to block dangerous functions such as exec, system, shell_exec in php.ini (disable_functions directive).

Generated by OpenCVE AI on June 10, 2026 at 16:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Title DedeCMS 5.7.118 Command Execution Vulnerability in File Management Controller

Wed, 10 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Dedecms
Dedecms dedecms
Vendors & Products Dedecms
Dedecms dedecms

Tue, 09 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Title DedeCMS 5.7.118 Command Execution Vulnerability in File Management Controller
Weaknesses CWE-78

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description DedeCMS V5.7.118 is vulnerable to Command Execution in file_manage_control.php.
References

Subscriptions

Dedecms Dedecms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-10T13:51:06.422Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38615

cve-icon Vulnrichment

Updated: 2026-06-10T13:50:55.404Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T17:17:05.570

Modified: 2026-06-10T15:16:33.953

Link: CVE-2026-38615

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T16:45:35Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')