CRITICAL🇵🇱 Wersja polska

CVE-2026-30694

CVSS 9.8v3.1pub. 2026-03-19upd. 2026-03-25

An issue in DedeCMS v.5.7.118 and before allows a remote attacker to execute arbitrary code via the array_filter component

🤖 AI Analysis
How it works

The vulnerability classified as CWE-94 (Code Injection) affects the array_filter component in DedeCMS. An attacker can supply specially crafted input data that is then processed by this component in a way that allows injection and execution of arbitrary code on the server side. The attack is possible remotely over the network without requiring authentication or user interaction.

Impact

An attacker can gain full control over the server — including reading, modifying or deleting data, as well as installing a backdoor or executing arbitrary code with the privileges of the web server process.

Mitigation & patch

Apply patches available from the vendor according to the references. Until an update is applied, it is recommended to restrict access to the DedeCMS administration panel at the firewall level and monitor suspicious network traffic.

Who is affected

DedeCMS version 5.7.118 and all earlier versions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Dedecms

    APP
    Dedecms
    ≤ 5.7.118
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-30643CRITICAL9.8PL ✓ten sam produkt

DedeCMS 5.7.118 — zdalne wykonanie kodu przez upload modułu (RCE)

CVE-2024-35510CRITICAL9.8PL ✓ten sam produkt

DedeCMS – arbitrary file upload umożliwiający RCE

CVE-2024-35375CRITICAL9.8PL ✓ten sam produkt

DedeCMS 5.7.114 — arbitrary file upload w panelu administracyjnym

CVE-2024-33749CRITICAL9.1PL ✓ten sam produkt

DedeCMS – nieautoryzowane usunięcie dowolnego pliku przez mail_file_manage.php

CVE-2024-29661CRITICAL9.8PL ✓ten sam produkt

Krytyczne RCE przez File Upload w DedeCMS v5.7