CVE-2026-30457
Received Received - Intake
Remote Code Execution in FuelCMS v1.5.2 /parser/dwoo Component

Publication date: 2026-03-26

Last updated on: 2026-03-30

Assigner: MITRE

Description
An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to execute arbitrary code via crafted PHP code.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-30457
EUVD
EUVD-2026-16301
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
thedaylightstudio fuel_cms 1.5.2
thedaylightstudio dwoo 1.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-30457 is a critical remote code execution vulnerability in FuelCMS that allows authenticated users to execute arbitrary PHP code on the server. This type of vulnerability can lead to unauthorized access, data breaches, and potential manipulation or exposure of sensitive information.

While the provided context does not explicitly mention compliance with standards such as GDPR or HIPAA, the ability to execute arbitrary code on a server hosting sensitive or personal data could result in violations of these regulations. For example, unauthorized code execution could lead to data leakage, unauthorized data modification, or disruption of services, all of which are concerns under GDPR and HIPAA.

Therefore, organizations using FuelCMS v1.5.2 with this vulnerability may face increased risk of non-compliance with data protection and privacy regulations if the vulnerability is exploited.

Executive Summary

CVE-2026-30457 is a critical remote code execution (RCE) vulnerability in Daylight Studio FuelCMS version 1.5.2, specifically in its Dwoo templating engine component. The issue arises because Dwoo improperly escapes the backslash character ("\") when parsing template code. This flaw allows an attacker with valid user credentials to inject crafted PHP code by escaping out of string delimiters in the template, which then gets executed on the server.

Technically, Dwoo converts template objects enclosed in curly braces into PHP code stored in compiled files. Due to improper escaping of backslashes, an attacker can break out of string literals and insert arbitrary PHP commands. Exploitation involves sending a specially crafted HTTP POST request to the blocks preview endpoint with malicious template code, resulting in execution of arbitrary PHP code on the server.

Impact Analysis

This vulnerability allows an attacker with any valid user credentials to execute arbitrary PHP code on the server hosting FuelCMS. This can lead to full compromise of the web server, including unauthorized access to sensitive data, modification or deletion of content, installation of malware, or further attacks on the internal network.

Because the vulnerability enables remote code execution, it poses a high risk to the confidentiality, integrity, and availability of the affected system. Additionally, it can be combined with other vulnerabilities, such as unauthenticated account takeover, to increase the severity and ease of exploitation.

Detection Guidance

The CVE-2026-30457 vulnerability can be detected by monitoring for specially crafted HTTP POST requests sent to the endpoint /fuel//preview?module=blocks&field=view containing malicious Dwoo template code in the data parameter.

Detection involves looking for attempts to inject backslash-escaped PHP code within the Dwoo template syntax, such as payloads including {assign(aaa\ '. die(`id`));//')}, which cause execution of arbitrary PHP code.

You can use network monitoring or web server logs to identify suspicious POST requests to the preview endpoint with multipart/form-data containing unusual Dwoo template code.

  • Use tools like tcpdump or Wireshark to capture HTTP POST traffic to /fuel//preview?module=blocks&field=view.
  • Search web server access logs for POST requests to /fuel//preview?module=blocks&field=view with suspicious payloads, e.g., using grep: grep -i 'POST /fuel//preview?module=blocks&field=view' /var/log/apache2/access.log
  • Look for PHP parse errors or unexpected output in server error logs that may indicate attempted exploitation.
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint /fuel//preview?module=blocks&field=view to trusted users only, as exploitation requires authenticated user credentials.

Since the vendor is not expected to fix this issue and the FuelCMS master branch has not been updated in over four years, consider disabling or restricting the use of the Dwoo templating engine or the preview module if possible.

Monitor and audit user accounts to prevent unauthorized access, as exploitation requires valid credentials.

Implement web application firewall (WAF) rules to detect and block malicious payloads attempting to inject backslash-escaped PHP code in the data parameter.

Consider isolating or sandboxing the FuelCMS environment to limit the impact of potential code execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30457. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart