Description
Discuz! X5.0 releases 20260320 through 20260610 contains a CAPTCHA bypass vulnerability that allows unauthenticated remote attackers to defeat challenge controls by exploiting limited complexity and predictable character sets in generated CAPTCHA images. Attackers can train a custom optical character recognition model against collected CAPTCHA samples to reliably predict challenge text, bypassing protections on login, registration, and other functionality from automated abuse.
Published: 2026-06-15
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Discuz! X5.0 releases 20260320 through 20260610 contain a CAPTCHA bypass vulnerability that permits unauthenticated remote attackers to defeat the CAPTCHA challenge controls by exploiting the limited complexity and predictable character set used to generate the CAPTCHA images. The flaw is a form of input validation weakness (CWE‑804) that enables attackers to train a custom optical character recognition model on collected CAPTCHA samples and reliably determine the correct challenge text, thereby bypassing protections on login, registration, and other functions that rely on CAPTCHA to mitigate automated abuse.

Affected Systems

Discuz!: Discuz! X5.0, versions released between 20260320 and 20260610 are affected.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity vulnerability with a potential for automated credential stuffing or bot attacks. The EPSS score is below 1 %, suggesting that exploitation is unlikely at present, but the vulnerability is not listed in CISA KEV. Attackers would likely leverage a network-based web attack vector, collecting CAPTCHA images from exposed pages and training an OCR model offline, before using the trained model to automate actions such as account creation or login attempts. If the CAPTCHA bypass is successful on a site with weak subsequent authentication measures, automated abuse could lead to account takeover, data exfiltration or other privileged operations.

Generated by OpenCVE AI on June 16, 2026 at 22:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Discuz! X5.0 release where CAPTCHA complexity is enhanced or the flaw is otherwise remediated
  • If an upgrade is not immediately feasible, disable or replace the CAPTCHA on login, registration and other sensitive forms with a more robust anti‑bot solution such as reCAPTCHA v2/v3
  • Implement rate limiting and monitor for abnormal authentication patterns to detect and mitigate automated abuse

Generated by OpenCVE AI on June 16, 2026 at 22:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Discuz
Discuz discuzx
Vendors & Products Discuz
Discuz discuzx

Tue, 16 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Discuz! X5.0 releases 20260320 through 20260501 contains a CAPTCHA bypass vulnerability that allows unauthenticated remote attackers to defeat challenge controls by exploiting limited complexity and predictable character sets in generated CAPTCHA images. Attackers can train a custom optical character recognition model against collected CAPTCHA samples to reliably predict challenge text, bypassing protections on login, registration, and other functionality from automated abuse. Discuz! X5.0 releases 20260320 through 20260610 contains a CAPTCHA bypass vulnerability that allows unauthenticated remote attackers to defeat challenge controls by exploiting limited complexity and predictable character sets in generated CAPTCHA images. Attackers can train a custom optical character recognition model against collected CAPTCHA samples to reliably predict challenge text, bypassing protections on login, registration, and other functionality from automated abuse.

Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description Discuz! X5.0 releases 20260320 through 20260501 contains a CAPTCHA bypass vulnerability that allows unauthenticated remote attackers to defeat challenge controls by exploiting limited complexity and predictable character sets in generated CAPTCHA images. Attackers can train a custom optical character recognition model against collected CAPTCHA samples to reliably predict challenge text, bypassing protections on login, registration, and other functionality from automated abuse.
Title Discuz! X5.0 CAPTCHA Bypass via Predictable Character Set
Weaknesses CWE-804
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Discuz Discuzx
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-16T09:48:24.870Z

Reserved: 2026-06-02T16:30:15.232Z

Link: CVE-2026-49953

cve-icon Vulnrichment

Updated: 2026-06-16T09:48:24.870Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:29.260

Modified: 2026-06-16T12:16:26.497

Link: CVE-2026-49953

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T23:00:06Z

Weaknesses