Cyber Resilience

CVE-2026-30993

CriticalRCE

Published: 15 April 2026

Published
15 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0052 39.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-30993 is a critical-severity Code Injection (CWE-94) vulnerability in Joaopaulodeoliveira (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

Slah CMS versions 1.5.0 and below contain a remote code execution (RCE) vulnerability in the session() function within config.php. This flaw, identified as CWE-94 (code injection), allows exploitation through crafted input and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for complete system compromise.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation enables arbitrary code execution on the affected server, granting high-impact access to confidentiality, integrity, and availability, potentially leading to full server control.

Mitigation details and further advisories are referenced in sources such as https://cve.joaopaulodeoliveira.dev/cve.php/published/CVE-2026-30993 and https://cve.joaopaulodeoliveira.dev/cve.php/reserved/slah-informatica-eval-injection-rce, published on 2026-04-15.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Slah CMS v1.5.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the session() function at config.php. This vulnerability is exploitable via a crafted input.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an unauthenticated remote code execution in a public-facing web application (CMS), directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41229Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2026-40563Shared CWE-94
CVE-2024-32641Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-2052Shared CWE-94
CVE-2026-9170Shared CWE-94
CVE-2025-54451Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2025-22204Shared CWE-94

Affected Assets

Joaopaulodeoliveira
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the RCE vulnerability by requiring timely identification, reporting, and correction of the code injection flaw in the Slah CMS session() function.

prevent

Prevents exploitation of the vulnerability by enforcing input validation mechanisms at entry points like the crafted inputs to config.php's session() function.

prevent

Identifies the specific RCE vulnerability in Slah CMS through regular vulnerability scanning and drives its remediation to prevent exploitation.

References