CVE-2026-29839

High

Published: 24 March 2026

Published

24 March 2026

Modified

25 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0002 3.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29839 is a high-severity CSRF (CWE-352) vulnerability in Dedecms Dedecms. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

SC-23 protects session authenticity, directly preventing CSRF attacks by ensuring forged requests to /sys_task_add.php cannot impersonate legitimate user sessions.

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of all information inputs, enabling anti-CSRF tokens or checks to block unauthorized task addition requests in DedeCMS.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely remediation of identified flaws, directly addressing the CSRF vulnerability in DedeCMS v5.7.118 through patching /sys_task_add.php.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1204.001 Malicious Link Execution

An adversary may rely upon a user clicking a malicious link in order to gain execution.

attack.mitre.org →

Why these techniques?

CSRF in public-facing web app (/sys_task_add.php) directly matches T1190 exploitation; requires tricking user via malicious links/emails to trigger forged requests (T1204.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability in /sys_task_add.php.

Deeper analysisAI

CVE-2026-29839 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, affecting DedeCMS version 5.7.118 in the /sys_task_add.php component. Published on 2026-03-24T16:16:30.787, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, no required privileges, and high potential impacts across confidentiality, integrity, and availability.

The vulnerability enables exploitation by unauthenticated attackers who can trick authenticated users—typically administrators—into submitting forged requests via malicious webpages, emails, or links that interact with /sys_task_add.php. Successful exploitation requires user interaction but no special privileges from the attacker, potentially allowing unauthorized actions such as adding system tasks, with severe consequences including data compromise, modification, or disruption.

References provided include a GitHub Gist at https://gist.github.com/w-p-man/43bfdf3c7cf889981d773d1276bb6a62, which may contain proof-of-concept details, and the official DedeCMS website at https://www.dedecms.com/. Security practitioners should review these sources for any advisories, patches, or mitigation guidance specific to this issue.