Impact
Discuz! X5.0 versions released between 20260320 and 20260610 contain a local file inclusion flaw that lets authenticated administrators import a crafted plugin configuration. The flaw exploits a path‑traversal sequence in the directory attribute and a bypass that occurs when an exception is triggered during installation, enabling the malicious path to be stored without sanitization. The stored path is later passed to PHP's include() function. Combined with the platform’s file‑upload capability, this permits an attacker to execute arbitrary code with the privileges of the web‑server user.
Affected Systems
The vulnerability affects the Discuz! X5.0 content‑management system. Specifically, any installation from the release cycle starting on 2026‑03‑20 and ending on 2026‑06‑10 is impacted. Administrators with valid credentials on these builds are at risk.
Risk and Exploitability
The flaw carries a CVSS score of 8.6, indicating a high severity. The EPSS score is less than 1%, suggesting that, at present, the likelihood of exploitation is low but not zero. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires administrator privilege and the ability to upload or modify plugin configuration files. Once an attacker satisfies these prerequisites, they can gain arbitrary code execution on the web‑server account.
OpenCVE Enrichment