Description
Discuz! X5.0 releases 20260320 through 20260610 contain a local file inclusion vulnerability that allows authenticated administrators to execute arbitrary code by importing a specially crafted plugin configuration containing path traversal sequences in the directory attribute. Attackers can trigger an exception during plugin installation to bypass sanitization routines, causing malicious paths to be stored unsanitized and subsequently passed to include(), which combined with file upload functionality escalates to arbitrary code execution in the context of the web server user.
Published: 2026-06-15
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Discuz! X5.0 versions released between 20260320 and 20260610 contain a local file inclusion flaw that lets authenticated administrators import a crafted plugin configuration. The flaw exploits a path‑traversal sequence in the directory attribute and a bypass that occurs when an exception is triggered during installation, enabling the malicious path to be stored without sanitization. The stored path is later passed to PHP's include() function. Combined with the platform’s file‑upload capability, this permits an attacker to execute arbitrary code with the privileges of the web‑server user.

Affected Systems

The vulnerability affects the Discuz! X5.0 content‑management system. Specifically, any installation from the release cycle starting on 2026‑03‑20 and ending on 2026‑06‑10 is impacted. Administrators with valid credentials on these builds are at risk.

Risk and Exploitability

The flaw carries a CVSS score of 8.6, indicating a high severity. The EPSS score is less than 1%, suggesting that, at present, the likelihood of exploitation is low but not zero. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires administrator privilege and the ability to upload or modify plugin configuration files. Once an attacker satisfies these prerequisites, they can gain arbitrary code execution on the web‑server account.

Generated by OpenCVE AI on June 18, 2026 at 01:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Discuz! to the latest version that removes the vulnerable enable_disable.php plugin directory and its related inclusion logic.
  • Disable or restrict the ability of administrators to import plugin configuration files that contain custom directory attributes, ensuring that only whitelisted, trusted paths are accepted.
  • Configure the web server to block PHP execution in any upload or plugin directories and enforce strict input validation for all path components used in include() operations.

Generated by OpenCVE AI on June 18, 2026 at 01:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Discuz
Discuz discuzx
Vendors & Products Discuz
Discuz discuzx

Tue, 16 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
References

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Discuz! X5.0 releases 20260320 through 20260501 contain a local file inclusion vulnerability that allows authenticated administrators to execute arbitrary code by importing a specially crafted plugin configuration containing path traversal sequences in the directory attribute. Attackers can trigger an exception during plugin installation to bypass sanitization routines, causing malicious paths to be stored unsanitized and subsequently passed to include(), which combined with file upload functionality escalates to arbitrary code execution in the context of the web server user. Discuz! X5.0 releases 20260320 through 20260610 contain a local file inclusion vulnerability that allows authenticated administrators to execute arbitrary code by importing a specially crafted plugin configuration containing path traversal sequences in the directory attribute. Attackers can trigger an exception during plugin installation to bypass sanitization routines, causing malicious paths to be stored unsanitized and subsequently passed to include(), which combined with file upload functionality escalates to arbitrary code execution in the context of the web server user.

Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description Discuz! X5.0 releases 20260320 through 20260501 contain a local file inclusion vulnerability that allows authenticated administrators to execute arbitrary code by importing a specially crafted plugin configuration containing path traversal sequences in the directory attribute. Attackers can trigger an exception during plugin installation to bypass sanitization routines, causing malicious paths to be stored unsanitized and subsequently passed to include(), which combined with file upload functionality escalates to arbitrary code execution in the context of the web server user.
Title Discuz! X5.0 Local File Inclusion via enable_disable.php Plugin Directory
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-16T15:20:11.714Z

Reserved: 2026-06-02T16:30:15.232Z

Link: CVE-2026-49954

cve-icon Vulnrichment

Updated: 2026-06-16T09:48:25.815Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:29.420

Modified: 2026-06-16T12:16:26.610

Link: CVE-2026-49954

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T01:30:15Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')