CVE-2026-30993
Published: 15 April 2026
Summary
CVE-2026-30993 is a critical-severity Code Injection (CWE-94) vulnerability in Joaopaulodeoliveira (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
Slah CMS versions 1.5.0 and below contain a remote code execution (RCE) vulnerability in the session() function within config.php. This flaw, identified as CWE-94 (code injection), allows exploitation through crafted input and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for complete system compromise.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation enables arbitrary code execution on the affected server, granting high-impact access to confidentiality, integrity, and availability, potentially leading to full server control.
Mitigation details and further advisories are referenced in sources such as https://cve.joaopaulodeoliveira.dev/cve.php/published/CVE-2026-30993 and https://cve.joaopaulodeoliveira.dev/cve.php/reserved/slah-informatica-eval-injection-rce, published on 2026-04-15.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22985
Vulnerability details
Slah CMS v1.5.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the session() function at config.php. This vulnerability is exploitable via a crafted input.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated remote code execution in a public-facing web application (CMS), directly enabling exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the RCE vulnerability by requiring timely identification, reporting, and correction of the code injection flaw in the Slah CMS session() function.
Prevents exploitation of the vulnerability by enforcing input validation mechanisms at entry points like the crafted inputs to config.php's session() function.
Identifies the specific RCE vulnerability in Slah CMS through regular vulnerability scanning and drives its remediation to prevent exploitation.