CVE-2026-30694
Received Received - Intake
Remote Code Execution in DedeCMS array_filter Component

Publication date: 2026-03-19

Last updated on: 2026-03-25

Assigner: MITRE

Description
An issue in DedeCMS v.5.7.118 and before allows a remote attacker to execute arbitrary code via the array_filter component
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-25
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30694
EUVD
EUVD-2026-13147
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dedecms dedecms to 5.7.118 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-30694 is a high-risk remote code execution (RCE) vulnerability in DedeCMS versions up to 5.7.118. It occurs in the admin portal's file management functionality due to flaws in a blacklist implemented via regular expressions in the file `/dede/tpl.php`."}, {'type': 'paragraph', 'content': 'The vulnerability arises from two main technical issues: a misspelled function name `array_filert` instead of `array_filter` that affects blacklist filtering, and an incomplete regular expression character class that omits the double quote character. This omission allows attackers to bypass the blacklist by enclosing dangerous callback function names in double quotes.'}, {'type': 'paragraph', 'content': 'An authenticated administrator can exploit this by uploading a PHP file containing code that uses `array_filter` with a double-quoted callback such as `"system"`. This bypasses the blacklist and enables execution of arbitrary system commands, effectively achieving remote code execution.'}] [1, 2]

Impact Analysis

This vulnerability allows an attacker with administrator privileges to execute arbitrary system commands on the server hosting DedeCMS. By uploading malicious PHP files that bypass the blacklist, the attacker can gain full remote code execution capabilities.

The impact includes potential full compromise of the affected system, unauthorized access to sensitive data, disruption of services, and the ability to install backdoors or malware.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of malicious PHP files uploaded via the DedeCMS admin portal\'s file management feature, especially files that use the array_filter function with double-quoted callback parameters such as "system".'}, {'type': 'paragraph', 'content': 'Since the vulnerability arises from a flawed blacklist implemented via regular expressions in the file `/dede/tpl.php`, you can inspect this file for the misspelled function name `array_filert` instead of `array_filter` and verify the regular expression on line 38 to see if it excludes the double quote character.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or malicious files, you can search your web server or DedeCMS installation directories for PHP files containing suspicious payloads like:'}, {'type': 'list_item', 'content': '<?php $g = "_GET"; $c = "c"; array_filter([${$g}[$c]],"system"); ?>'}, {'type': 'paragraph', 'content': 'A sample command to find such files on a Linux system could be:'}, {'type': 'list_item', 'content': 'grep -r --include="*.php" \'array_filter.*"system"\' /path/to/dedecms/'}, {'type': 'paragraph', 'content': 'Additionally, you can check the `/dede/tpl.php` file for the spelling error and regex issue by using commands like:'}, {'type': 'list_item', 'content': "grep -n 'array_filert' /path/to/dedecms/dede/tpl.php"}, {'type': 'list_item', 'content': 'sed -n 35,40p /path/to/dedecms/dede/tpl.php'}] [1, 2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include correcting the source code flaws in the `/dede/tpl.php` file to prevent bypass of the blacklist detection.'}, {'type': 'list_item', 'content': 'Fix the spelling error on line 35 by changing `array_filert` to the correct `array_filter`.'}, {'type': 'list_item', 'content': 'Modify the regular expression on line 38 to include the double quote character in the character class, changing it from `[([{\']` to `[([{\'"]`.'}, {'type': 'paragraph', 'content': 'These changes ensure that callback function names enclosed in double quotes are properly detected and blocked, preventing attackers from uploading malicious PHP files that execute arbitrary code.'}, {'type': 'paragraph', 'content': 'Additionally, restrict administrator access to trusted users only, monitor uploaded files for suspicious content, and consider applying any official patches or updates from DedeCMS if available.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30694. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart