Description
A security flaw has been discovered in DefaultFuction Content-Management-System 1.0. This issue affects some unknown processing of the file /admin/tools.php. The manipulation of the argument host results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-04-02
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Patch ASAP
AI Analysis

Impact

The flaw is in the admin tools interface of DefaultFuction Content‑Management‑System 1.0, where the host parameter is concatenated into a system command without proper validation. This allows an attacker to inject arbitrary operating system commands, leading to remote command execution. The vulnerability is categorized as OS Command Injection (CWE‑74 and CWE‑77). Successful exploitation would compromise the confidentiality, integrity, and availability of the targeted web server, potentially allowing full system compromise.

Affected Systems

Only the 1.0 release of DefaultFuction Content‑Management‑System is affected. All installations of that version, identified by the vendor’s GitHub repository, are vulnerable. No other versions or products are known to be impacted at this time.

Risk and Exploitability

The CVSS score of 6.9 classifies the issue as moderate severity, while the EPSS score of 1 % indicates a low current exploit probability; however, a public exploit has already been released, so attackers could still target the system. The vulnerability is not listed in CISA’s KEV catalog. Exploitation can be carried out remotely by sending a crafted HTTP request to /admin/tools.php with a malicious host value; the documentation does not state that authentication is required, implying the endpoint is accessible to unauthenticated users.

Generated by OpenCVE AI on April 7, 2026 at 23:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch that addresses the command injection in /admin/tools.php.
  • If a patch is unavailable, enforce authentication and restrict network access to /admin/tools.php so that only trusted administrators can reach it.
  • Add input validation or whitelist checks to the host parameter before it is used in any system command.
  • Monitor web server logs for unexpected commands or anomalies on the /admin/tools.php endpoint and investigate promptly.

Generated by OpenCVE AI on April 7, 2026 at 23:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Defaultfuction content Management System
CPEs cpe:2.3:a:defaultfuction:content_management_system:1.0:*:*:*:*:*:*:*
Vendors & Products Defaultfuction content Management System

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Defaultfuction
Defaultfuction content-management-system
Vendors & Products Defaultfuction
Defaultfuction content-management-system

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in DefaultFuction Content-Management-System 1.0. This issue affects some unknown processing of the file /admin/tools.php. The manipulation of the argument host results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
Title DefaultFuction Content-Management-System tools.php command injection
Weaknesses CWE-74
CWE-77
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Defaultfuction Content-management-system Content Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-02T13:54:13.691Z

Reserved: 2026-04-01T14:01:58.729Z

Link: CVE-2026-5333

cve-icon Vulnrichment

Updated: 2026-04-02T13:54:04.693Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T14:16:36.827

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-5333

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:56:32Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')