{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dedecms/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-30643"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["dedecms","code-injection","cve-2026-30643"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eDedeCMS version 5.7.118 is susceptible to a critical code injection vulnerability (CVE-2026-30643) that allows unauthenticated attackers to execute arbitrary code on the server. The vulnerability stems from improper handling of setup tag values during module uploads. Successful exploitation of this flaw enables threat actors to compromise the web server, potentially leading to data breaches, system takeover, and further malicious activities. This vulnerability requires immediate attention from organizations using DedeCMS 5.7.118. The vulnerability was reported to MITRE on April 1, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a DedeCMS 5.7.118 instance accessible over the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious module package containing a specially crafted setup tag within its configuration files.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious module package to the DedeCMS instance.\u003c/li\u003e\n\u003cli\u003eDuring the module installation process, the DedeCMS application parses the module\u0026rsquo;s configuration files, including the malicious setup tag.\u003c/li\u003e\n\u003cli\u003eDue to insufficient input validation, the crafted setup tag injects arbitrary code into the application\u0026rsquo;s execution context.\u003c/li\u003e\n\u003cli\u003eThe injected code is executed by the web server, granting the attacker control over the system.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use this initial foothold to execute system commands.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence and moves laterally within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-30643 allows unauthenticated attackers to execute arbitrary code on the target system. This could lead to complete system compromise, data theft, defacement of the website, or further propagation of malware within the network. Given the severity and ease of exploitation, any DedeCMS 5.7.118 instance exposed to the internet is at high risk. Unpatched systems are vulnerable to complete takeover.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade DedeCMS to a patched version that addresses CVE-2026-30643.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation on all user-supplied data, especially during module uploads, to prevent code injection.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect DedeCMS Module Upload Code Injection\u003c/code\u003e to identify exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category: webserver) for suspicious activity related to module installation and unusual requests.\u003c/li\u003e\n\u003cli\u003eApply the CWE-94 mitigations to prevent code injection at the application level.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T17:28:39Z","date_published":"2026-04-01T17:28:39Z","id":"/briefs/2026-04-dedecms-code-injection/","summary":"DedeCMS 5.7.118 is vulnerable to remote code execution via crafted setup tag values during a module upload, as exploited by an unauthenticated attacker (CVE-2026-30643).","title":"DedeCMS 5.7.118 Code Injection Vulnerability via Crafted Module Upload (CVE-2026-30643)","url":"https://feed.craftedsignal.io/briefs/2026-04-dedecms-code-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Dedecms","version":"https://jsonfeed.org/version/1.1"}