Cyber Resilience

CVE-2026-29839

High

Published: 24 March 2026

Published
24 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0014 3.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-29839 is a high-severity CSRF (CWE-352) vulnerability in Dedecms Dedecms. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-29839 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, affecting DedeCMS version 5.7.118 in the /sys_task_add.php component. Published on 2026-03-24T16:16:30.787, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, no required privileges, and high potential impacts across confidentiality, integrity, and availability.

The vulnerability enables exploitation by unauthenticated attackers who can trick authenticated users—typically administrators—into submitting forged requests via malicious webpages, emails, or links that interact with /sys_task_add.php. Successful exploitation requires user interaction but no special privileges from the attacker, potentially allowing unauthorized actions such as adding system tasks, with severe consequences including data compromise, modification, or disruption.

References provided include a GitHub Gist at https://gist.github.com/w-p-man/43bfdf3c7cf889981d773d1276bb6a62, which may contain proof-of-concept details, and the official DedeCMS website at https://www.dedecms.com/. Security practitioners should review these sources for any advisories, patches, or mitigation guidance specific to this issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability in /sys_task_add.php.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

CSRF in public-facing web app (/sys_task_add.php) directly matches T1190 exploitation; requires tricking user via malicious links/emails to trigger forged requests (T1204.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30643Same product: Dedecms Dedecms
CVE-2026-30694Same product: Dedecms Dedecms
CVE-2024-57241Same product: Dedecms Dedecms
CVE-2025-70031Shared CWE-352
CVE-2025-23902Shared CWE-352
CVE-2026-34384Shared CWE-352
CVE-2025-23880Shared CWE-352
CVE-2025-30550Shared CWE-352
CVE-2024-53829Shared CWE-352
CVE-2025-23805Shared CWE-352

Affected Assets

dedecms
dedecms
5.7.118

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 protects session authenticity, directly preventing CSRF attacks by ensuring forged requests to /sys_task_add.php cannot impersonate legitimate user sessions.

prevent

SI-10 requires validation of all information inputs, enabling anti-CSRF tokens or checks to block unauthorized task addition requests in DedeCMS.

prevent

SI-2 mandates timely remediation of identified flaws, directly addressing the CSRF vulnerability in DedeCMS v5.7.118 through patching /sys_task_add.php.

References