Description
A vulnerability has been found in gougucms 4.08.18. This affects the function reg_submit of the file gougucms-master\app\home\controller\Login.php of the component User Registration Handler. Such manipulation of the argument level leads to dynamically-determined object attributes. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Apply Patch
AI Analysis

Impact

A flaw in gougucms 4.08.18 allows attackers to manipulate the request payload sent to the registration endpoint, causing the application to set arbitrary object properties dynamically. This mass-assignment vulnerability can lead to code execution or privilege escalation if the attacker crafts input that triggers sensitive logic. The weakness aligns with the mass-assignment category, exposing the application to remote attackers who can trigger the flaw without prior authentication.

Affected Systems

The product affected is Gougucms version 4.08.18. No other versions or vendors are listed as vulnerable in the available data. The vulnerability resides in the reg_submit function within app/home/controller/Login.php, which manages user registrations through the web interface.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score is not provided and the issue is not catalogued in the KEV list. The likely attack vector is a remote POST request to the /login.php registration endpoint that supplies crafted data. No additional credentials or elevated permissions are required; the function directly processes user-supplied input, making the exploit straightforward once the target is identified.

Generated by OpenCVE AI on April 1, 2026 at 06:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gougucms to a release that patches the reg_submit mass‑assignment flaw or apply any vendor patch if available.
  • If no official fix exists, restrict access to the registration page by IP or apply a Web Application Firewall rule that blocks suspicious or malformed registration requests.
  • Enforce strict input validation and parameter whitelisting on the registration form to prevent dynamic attribute assignment.
  • Monitor registration logs for anomalies and review any unexpected account creation events.

Generated by OpenCVE AI on April 1, 2026 at 06:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in gougucms 4.08.18. This affects the function reg_submit of the file gougucms-master\app\home\controller\Login.php of the component User Registration Handler. Such manipulation of the argument level leads to dynamically-determined object attributes. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title gougucms User Registration Login.php reg_submit dynamically-determined object attributes
First Time appeared Gougucms
Gougucms gougucms
Weaknesses CWE-913
CWE-915
CPEs cpe:2.3:a:gougucms:gougucms:*:*:*:*:*:*:*:*
Vendors & Products Gougucms
Gougucms gougucms
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Gougucms Gougucms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-01T12:14:32.764Z

Reserved: 2026-03-31T16:00:46.705Z

Link: CVE-2026-5248

cve-icon Vulnrichment

Updated: 2026-04-01T12:13:19.810Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-01T01:16:41.990

Modified: 2026-04-01T14:23:37.727

Link: CVE-2026-5248

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:18:38Z

Weaknesses