CVE-2026-30457

CriticalPublic PoCRCE

Published: 26 March 2026

Published

26 March 2026

Modified

30 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30457 is a critical-severity Code Injection (CWE-94) vulnerability in Thedaylightstudio Dwoo. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation, directly mitigating CVE-2026-30457 by patching the code injection vulnerability in the FuelCMS Dwoo parser component.

SI-10 Information Input Validation good match

prevent

SI-10 enforces information input validation, preventing attackers from executing arbitrary PHP code via crafted inputs to the vulnerable Dwoo parser.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

RA-5 provides vulnerability monitoring and scanning to identify systems affected by CVE-2026-30457 in FuelCMS v1.5.2.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-30457 enables remote code execution via code injection in a public-facing web application component (FuelCMS parser/dwoo), directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to execute arbitrary code via crafted PHP code.

Deeper analysisAI

CVE-2026-30457 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in the /parser/dwoo component of Daylight Studio FuelCMS version 1.5.2. Published on 2026-03-26T19:16:59.900, it stems from CWE-94 (code injection) and enables attackers to execute arbitrary code via crafted PHP code.

Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, authentication, or user interaction. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, allowing full remote code execution on affected systems.

Advisories and related resources, including vendor sites at http://daylight.com and http://fuelcms.com, the FuelCMS GitHub repository at https://github.com/daylightstudio/FUEL-CMS/tree/master/fuel/modules/fuel/libraries/parser/dwoo, and a pentest report at https://pentest-tools.com/PTT-2025-026-PHP-Code-Execution-Via-Dwoo-Escape.pdf, provide further details on the issue.