CVE-2026-49954

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-49954
Discuz! X5.0 releases 20260320 through 20260610 contain a local file inclusion vulnerability that allows authenticated administrators to execute arbitrary code by importing a specially crafted plugin configuration containing path traversal sequences in the directory attribute. Attackers can trigger an exception during plugin installation to bypass sanitization routines, causing malicious paths to be stored unsanitized and subsequently passed to include(), which combined with file upload functionality escalates to arbitrary code execution in the context of the web server user.

7.2 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://karmainsecurity.com/KIS-2026-11
https://karmainsecurity.com/chaining-bugs-in-discuz-from-race-condition-to-rce
https://www.vulncheck.com/advisories/discuz-x5-0-local-file-inclusion-via-enable-disable-php-plugin-directory
http://seclists.org/fulldisclosure/2026/Jun/5
Configurations

No configuration.

History

16 Jun 2026, 12:16

Type Values Removed Values Added
References
  • () http://seclists.org/fulldisclosure/2026/Jun/5 -

15 Jun 2026, 21:17

Type Values Removed Values Added
Summary (en) Discuz! X5.0 releases 20260320 through 20260501 contain a local file inclusion vulnerability that allows authenticated administrators to execute arbitrary code by importing a specially crafted plugin configuration containing path traversal sequences in the directory attribute. Attackers can trigger an exception during plugin installation to bypass sanitization routines, causing malicious paths to be stored unsanitized and subsequently passed to include(), which combined with file upload functionality escalates to arbitrary code execution in the context of the web server user. (en) Discuz! X5.0 releases 20260320 through 20260610 contain a local file inclusion vulnerability that allows authenticated administrators to execute arbitrary code by importing a specially crafted plugin configuration containing path traversal sequences in the directory attribute. Attackers can trigger an exception during plugin installation to bypass sanitization routines, causing malicious paths to be stored unsanitized and subsequently passed to include(), which combined with file upload functionality escalates to arbitrary code execution in the context of the web server user.

15 Jun 2026, 20:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-06-15 20:16

Updated : 2026-06-16 12:16

NVD link : CVE-2026-49954

Mitre link : CVE-2026-49954

CVE.ORG link : CVE-2026-49954

JSON object : View

Products Affected

No product.

CWE
CWE-98

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')