CVE-2026-30457
Remote Code Execution in FuelCMS v1.5.2 /parser/dwoo Component
Publication date: 2026-03-26
Last updated on: 2026-03-30
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thedaylightstudio | fuel_cms | 1.5.2 |
| thedaylightstudio | dwoo | 1.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-30457 is a critical remote code execution vulnerability in FuelCMS that allows authenticated users to execute arbitrary PHP code on the server. This type of vulnerability can lead to unauthorized access, data breaches, and potential manipulation or exposure of sensitive information.
While the provided context does not explicitly mention compliance with standards such as GDPR or HIPAA, the ability to execute arbitrary code on a server hosting sensitive or personal data could result in violations of these regulations. For example, unauthorized code execution could lead to data leakage, unauthorized data modification, or disruption of services, all of which are concerns under GDPR and HIPAA.
Therefore, organizations using FuelCMS v1.5.2 with this vulnerability may face increased risk of non-compliance with data protection and privacy regulations if the vulnerability is exploited.
Can you explain this vulnerability to me?
CVE-2026-30457 is a critical remote code execution (RCE) vulnerability in Daylight Studio FuelCMS version 1.5.2, specifically in its Dwoo templating engine component. The issue arises because Dwoo improperly escapes the backslash character ("\") when parsing template code. This flaw allows an attacker with valid user credentials to inject crafted PHP code by escaping out of string delimiters in the template, which then gets executed on the server.
Technically, Dwoo converts template objects enclosed in curly braces into PHP code stored in compiled files. Due to improper escaping of backslashes, an attacker can break out of string literals and insert arbitrary PHP commands. Exploitation involves sending a specially crafted HTTP POST request to the blocks preview endpoint with malicious template code, resulting in execution of arbitrary PHP code on the server.
How can this vulnerability impact me? :
This vulnerability allows an attacker with any valid user credentials to execute arbitrary PHP code on the server hosting FuelCMS. This can lead to full compromise of the web server, including unauthorized access to sensitive data, modification or deletion of content, installation of malware, or further attacks on the internal network.
Because the vulnerability enables remote code execution, it poses a high risk to the confidentiality, integrity, and availability of the affected system. Additionally, it can be combined with other vulnerabilities, such as unauthenticated account takeover, to increase the severity and ease of exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The CVE-2026-30457 vulnerability can be detected by monitoring for specially crafted HTTP POST requests sent to the endpoint /fuel//preview?module=blocks&field=view containing malicious Dwoo template code in the data parameter.
Detection involves looking for attempts to inject backslash-escaped PHP code within the Dwoo template syntax, such as payloads including {assign(aaa\ '. die(`id`));//')}, which cause execution of arbitrary PHP code.
You can use network monitoring or web server logs to identify suspicious POST requests to the preview endpoint with multipart/form-data containing unusual Dwoo template code.
- Use tools like tcpdump or Wireshark to capture HTTP POST traffic to /fuel//preview?module=blocks&field=view.
- Search web server access logs for POST requests to /fuel//preview?module=blocks&field=view with suspicious payloads, e.g., using grep: grep -i 'POST /fuel//preview?module=blocks&field=view' /var/log/apache2/access.log
- Look for PHP parse errors or unexpected output in server error logs that may indicate attempted exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint /fuel//preview?module=blocks&field=view to trusted users only, as exploitation requires authenticated user credentials.
Since the vendor is not expected to fix this issue and the FuelCMS master branch has not been updated in over four years, consider disabling or restricting the use of the Dwoo templating engine or the preview module if possible.
Monitor and audit user accounts to prevent unauthorized access, as exploitation requires valid credentials.
Implement web application firewall (WAF) rules to detect and block malicious payloads attempting to inject backslash-escaped PHP code in the data parameter.
Consider isolating or sandboxing the FuelCMS environment to limit the impact of potential code execution.