Impact
Discuz! X5.0 releases 20260320 through 20260610 contain a CAPTCHA bypass flaw that permits an unauthenticated remote attacker to defeat the challenge controls by exploiting the limited complexity and predictable character set used in the generated CAPTCHA images. The vulnerability allows an attacker to train a custom OCR model against collected CAPTCHA samples, reliably predicting the correct challenge text and bypassing protections on login, registration and other forms that rely on CAPTCHA to limit automated abuse.
Affected Systems
Discuz!: Discuz! X5.0 releases published between 20260320 and 20260610 are affected.
Risk and Exploitability
The CVSS score of 6.9 indicates a medium severity flaw, while the EPSS score being less than 1 % suggests exploitation is currently unlikely. The vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector is a network-based web attack where an adversary downloads CAPTCHA images from exposed pages, trains an OCR model offline, and then uses the trained model to automatically submit correct answers, enabling activities such as automated account creation or login attempts. The impact is a reduction in the effectiveness of CAPTCHA controls to deter bot-driven abuse, but the CVE description does not directly state any privilege escalation or data exfiltration outcomes.
OpenCVE Enrichment