CVE-2026-30694
Remote Code Execution in DedeCMS array_filter Component
Publication date: 2026-03-19
Last updated on: 2026-03-25
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dedecms | dedecms | to 5.7.118 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-30694 is a high-risk remote code execution (RCE) vulnerability in DedeCMS versions up to 5.7.118. It occurs in the admin portal's file management functionality due to flaws in a blacklist implemented via regular expressions in the file `/dede/tpl.php`."}, {'type': 'paragraph', 'content': 'The vulnerability arises from two main technical issues: a misspelled function name `array_filert` instead of `array_filter` that affects blacklist filtering, and an incomplete regular expression character class that omits the double quote character. This omission allows attackers to bypass the blacklist by enclosing dangerous callback function names in double quotes.'}, {'type': 'paragraph', 'content': 'An authenticated administrator can exploit this by uploading a PHP file containing code that uses `array_filter` with a double-quoted callback such as `"system"`. This bypasses the blacklist and enables execution of arbitrary system commands, effectively achieving remote code execution.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability allows an attacker with administrator privileges to execute arbitrary system commands on the server hosting DedeCMS. By uploading malicious PHP files that bypass the blacklist, the attacker can gain full remote code execution capabilities.
The impact includes potential full compromise of the affected system, unauthorized access to sensitive data, disruption of services, and the ability to install backdoors or malware.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of malicious PHP files uploaded via the DedeCMS admin portal\'s file management feature, especially files that use the array_filter function with double-quoted callback parameters such as "system".'}, {'type': 'paragraph', 'content': 'Since the vulnerability arises from a flawed blacklist implemented via regular expressions in the file `/dede/tpl.php`, you can inspect this file for the misspelled function name `array_filert` instead of `array_filter` and verify the regular expression on line 38 to see if it excludes the double quote character.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or malicious files, you can search your web server or DedeCMS installation directories for PHP files containing suspicious payloads like:'}, {'type': 'list_item', 'content': '<?php $g = "_GET"; $c = "c"; array_filter([${$g}[$c]],"system"); ?>'}, {'type': 'paragraph', 'content': 'A sample command to find such files on a Linux system could be:'}, {'type': 'list_item', 'content': 'grep -r --include="*.php" \'array_filter.*"system"\' /path/to/dedecms/'}, {'type': 'paragraph', 'content': 'Additionally, you can check the `/dede/tpl.php` file for the spelling error and regex issue by using commands like:'}, {'type': 'list_item', 'content': "grep -n 'array_filert' /path/to/dedecms/dede/tpl.php"}, {'type': 'list_item', 'content': 'sed -n 35,40p /path/to/dedecms/dede/tpl.php'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include correcting the source code flaws in the `/dede/tpl.php` file to prevent bypass of the blacklist detection.'}, {'type': 'list_item', 'content': 'Fix the spelling error on line 35 by changing `array_filert` to the correct `array_filter`.'}, {'type': 'list_item', 'content': 'Modify the regular expression on line 38 to include the double quote character in the character class, changing it from `[([{\']` to `[([{\'"]`.'}, {'type': 'paragraph', 'content': 'These changes ensure that callback function names enclosed in double quotes are properly detected and blocked, preventing attackers from uploading malicious PHP files that execute arbitrary code.'}, {'type': 'paragraph', 'content': 'Additionally, restrict administrator access to trusted users only, monitor uploaded files for suspicious content, and consider applying any official patches or updates from DedeCMS if available.'}] [1, 2]