Skip to content
Threat Feed
critical advisory

DedeCMS 5.7.118 Code Injection Vulnerability via Crafted Module Upload (CVE-2026-30643)

DedeCMS 5.7.118 is vulnerable to remote code execution via crafted setup tag values during a module upload, as exploited by an unauthenticated attacker (CVE-2026-30643).

DedeCMS version 5.7.118 is susceptible to a critical code injection vulnerability (CVE-2026-30643) that allows unauthenticated attackers to execute arbitrary code on the server. The vulnerability stems from improper handling of setup tag values during module uploads. Successful exploitation of this flaw enables threat actors to compromise the web server, potentially leading to data breaches, system takeover, and further malicious activities. This vulnerability requires immediate attention from organizations using DedeCMS 5.7.118. The vulnerability was reported to MITRE on April 1, 2026.

Attack Chain

  1. An attacker identifies a DedeCMS 5.7.118 instance accessible over the internet.
  2. The attacker crafts a malicious module package containing a specially crafted setup tag within its configuration files.
  3. The attacker uploads the malicious module package to the DedeCMS instance.
  4. During the module installation process, the DedeCMS application parses the module’s configuration files, including the malicious setup tag.
  5. Due to insufficient input validation, the crafted setup tag injects arbitrary code into the application’s execution context.
  6. The injected code is executed by the web server, granting the attacker control over the system.
  7. The attacker can then use this initial foothold to execute system commands.
  8. The attacker establishes persistence and moves laterally within the network.

Impact

Successful exploitation of CVE-2026-30643 allows unauthenticated attackers to execute arbitrary code on the target system. This could lead to complete system compromise, data theft, defacement of the website, or further propagation of malware within the network. Given the severity and ease of exploitation, any DedeCMS 5.7.118 instance exposed to the internet is at high risk. Unpatched systems are vulnerable to complete takeover.

Recommendation

  • Upgrade DedeCMS to a patched version that addresses CVE-2026-30643.
  • Implement strict input validation on all user-supplied data, especially during module uploads, to prevent code injection.
  • Deploy the provided Sigma rule Detect DedeCMS Module Upload Code Injection to identify exploitation attempts.
  • Monitor web server logs (category: webserver) for suspicious activity related to module installation and unusual requests.
  • Apply the CWE-94 mitigations to prevent code injection at the application level.

Detection coverage 2

Detect DedeCMS Module Upload Code Injection

critical

Detects potential code injection attempts during DedeCMS module uploads by identifying suspicious parameters in HTTP POST requests.

sigma tactics: execution techniques: T1189, T1505.003 sources: webserver, linux

Detect DedeCMS Webshell Uploads

high

Detects potential webshell uploads by identifying suspicious filenames being uploaded during module installation.

sigma tactics: persistence techniques: T1505.003 sources: webserver, linux

Detection queries are kept inside the platform. Get full rules →