DedeCMS version 5.7.118 contains a flaw in the file_manage_control.php script that allows an attacker to craft requests that result in arbitrary operating‑system command execution. This weakness is a classic example of command injection, which can give a threat actor full control over the underlying server, exposing data, allowing ransomware deployment, or facilitating other malicious activities. The impact is absolute; any user able to reach the vulnerable endpoint can execute any shell command with the permissions of the web server process.

The vulnerability affects the DedeCMS web content management system, specifically the 5.7.118 release. No other versions are listed as affected, so systems running earlier or later releases are presumed unaffected, but this should be verified against vendor advisories.

The CVSS score is not disclosed here, but the nature of the flaw suggests a high severity rating. Because command execution can be performed remotely and without authentication in the provided description, exploitation likelihood is significant in environments where the web application is publicly accessible, and there is no report of it being mitigated by the KEV catalog. Attackers would likely utilize crafted HTTP requests to invoke filesystem commands via the vulnerable script, exploiting any insufficient input validation. The practical barrier to execution is minimal if the web server retains the ability to run PHP exec functions.