CVE-2026-29839
Received Received - Intake
Cross-Site Request Forgery in DedeCMS /sys_task_add.php

Publication date: 2026-03-24

Last updated on: 2026-03-25

Assigner: MITRE

Description
DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability in /sys_task_add.php.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-25
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29839
EUVD
EUVD-2026-14903
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dedecms dedecms 5.7.118
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-29839 is a Cross-Site Request Forgery (CSRF) vulnerability found in DedeCMS version 5.7.118, specifically in the /sys_task_add.php component.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the application does not properly verify CSRF tokens for the save action in this script.'}, {'type': 'paragraph', 'content': 'An attacker can exploit this by creating a malicious HTML page that automatically sends a forged POST request to the vulnerable endpoint.'}, {'type': 'paragraph', 'content': "If an authenticated administrator visits this malicious page, the attacker can create arbitrary scheduled tasks without the administrator's consent."}] [2]

Impact Analysis

This vulnerability allows an attacker to remotely create unauthorized scheduled tasks in the context of an authenticated administrator.

Such unauthorized scheduled tasks may lead to further security risks depending on how the scheduled tasks are configured on the affected system.

The attack requires the administrator to be authenticated and to visit a malicious page controlled by the attacker.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves a Cross-Site Request Forgery (CSRF) in the /sys_task_add.php script of DedeCMS v5.7.118, where unauthorized scheduled tasks can be created if an authenticated administrator visits a malicious page.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system or network, you can monitor HTTP POST requests to the /dede/sys_task_add.php endpoint, especially those that create or modify scheduled tasks.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious activity include:'}, {'type': 'list_item', 'content': "Using web server logs (e.g., Apache or Nginx) to search for POST requests to /dede/sys_task_add.php: \n`grep 'POST /dede/sys_task_add.php' /var/log/nginx/access.log`"}, {'type': 'list_item', 'content': 'Checking for unusual or unexpected scheduled tasks created around the time of suspicious requests.'}, {'type': 'list_item', 'content': 'Using network monitoring tools (e.g., tcpdump or Wireshark) to capture and analyze HTTP traffic targeting /dede/sys_task_add.php.'}] [2]

Mitigation Strategies

Immediate mitigation steps include:

  • Restrict access to the /dede/sys_task_add.php script to trusted administrators only, ideally by IP address or VPN.
  • Ensure that administrators do not visit untrusted or suspicious websites while authenticated to the DedeCMS backend.
  • Implement or enforce CSRF protection mechanisms such as verifying CSRF tokens on all sensitive POST requests if possible.
  • Monitor and audit scheduled tasks regularly to detect any unauthorized creations.
  • Update DedeCMS to a version where this vulnerability is patched once available.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29839. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart