Cyber Posture

CVE-2026-30643

CriticalPublic PoCRCE

Published: 01 April 2026

Published
01 April 2026
Modified
06 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 28.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30643 is a critical-severity Code Injection (CWE-94) vulnerability in Dedecms Dedecms. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of module setup tag values to directly prevent code injection from crafted inputs during uploads.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of the specific flaw in DedeCMS module upload processing through patching or updates.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations to block unauthenticated access to the module upload functionality exploited by this CVE.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The CVE describes unauthenticated remote code injection (CWE-94) in a public-facing web CMS (DedeCMS), directly enabling exploitation of the application over the network to achieve RCE without credentials or user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue was discovered in DedeCMS 5.7.118 allowing attackers to execute code via crafted setup tag values in a module upload.

Deeper analysisAI

CVE-2026-30643 is a code injection vulnerability (CWE-94) discovered in DedeCMS version 5.7.118, a content management system. The flaw allows attackers to execute arbitrary code by supplying crafted setup tag values during a module upload process. It has a CVSS v3.1 base score of 9.8, indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impact on confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability remotely over the network without any prerequisites. By uploading a malicious module with specially crafted setup tags, they can achieve remote code execution on the affected DedeCMS server, potentially leading to full system compromise, data theft, modification, or disruption of services.

Mitigation details and further technical analysis are referenced in advisories such as the GitHub gist at https://gist.github.com/0psPwn/10c43912adee9bfe2ff4fec947d4ee5a and the official DedeCMS website at https://www.dedecms.com/. Security practitioners should consult these sources for patch availability or workarounds specific to DedeCMS 5.7.118.

Details

CWE(s)
CWE-94

Affected Products

dedecms
dedecms
≤ 5.7.118

CVEs Like This One

CVE-2026-30694Same product: Dedecms Dedecms
CVE-2026-29839Same product: Dedecms Dedecms
CVE-2024-57241Same product: Dedecms Dedecms
CVE-2026-35178Shared CWE-94
CVE-2024-1490Shared CWE-94
CVE-2024-7419Shared CWE-94
CVE-2025-46581Shared CWE-94
CVE-2025-65037Shared CWE-94
CVE-2025-10679Shared CWE-94
CVE-2024-57401Shared CWE-94

References