CVE-2026-30460

HighPublic PoCRCE

Published: 07 April 2026

Published

07 April 2026

Modified

09 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30460 is a high-severity Code Injection (CWE-94) vulnerability in Thedaylightstudio Fuel Cms. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of flaws like this authenticated RCE vulnerability in FuelCMS Blocks module to prevent exploitation.

SI-10 Information Input Validation good match

prevent

Mandates validation of inputs to the Blocks module, directly countering the code injection (CWE-94) mechanism of this RCE.

AC-6 Least Privilege partial match

prevent

Enforces least privilege for low-privilege authenticated users, limiting the scope and impact of RCE even if exploited in the Blocks module.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Authenticated RCE in a public-facing web application (CMS) via code injection directly maps to exploitation of public-facing applications for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability in the Blocks module.

Deeper analysisAI

CVE-2026-30460 is an authenticated remote code execution (RCE) vulnerability affecting Daylight Studio FuelCMS version 1.5.2, specifically within the Blocks module. Published on 2026-04-07, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-94 (code injection), alongside NVD-CWE-noinfo.

An attacker with low-privilege authenticated access can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables arbitrary code execution on the server, resulting in high impacts to confidentiality, integrity, and availability.

Advisories and related resources, including those from Pentest-Tools (PTT-2025-027 on improper authorization), the FuelCMS GitHub repository, and official sites at daylight.com and fuelcms.com, provide further details but no specific patch information is detailed in the CVE record. Security practitioners should review these references for mitigation guidance.