CVE-2026-30460
Authenticated Remote Code Execution in FuelCMS Blocks Module
Publication date: 2026-04-07
Last updated on: 2026-04-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thedaylightstudio | fuel_cms | 1.5.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30460 is a vulnerability in FuelCMS version 1.5.2, specifically in the Blocks module. It is an authenticated remote code execution (RCE) flaw caused by improper authorization enforcement. Any authenticated user, regardless of their role or permissions, can exploit this vulnerability by accessing the block preview endpoint and sending a crafted request that executes arbitrary PHP code on the server.
The issue arises because FuelCMS does not properly restrict access to the Blocks module's preview functionality, allowing low-privileged users to run malicious code via the Dwoo template engine. Exploitation requires valid user credentials but no special permissions.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized remote code execution on the server hosting FuelCMS. An attacker with valid credentials but low privileges can execute arbitrary PHP code, potentially leading to data exposure, server compromise, or further attacks within the network.
Since the attacker can run code remotely, they might read sensitive files, modify data, or disrupt the availability of the service. The vulnerability does not require high privileges, making it easier for attackers to exploit once they have any user account.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-30460 vulnerability allows any authenticated user to execute arbitrary PHP code on the server due to improper authorization in FuelCMS 1.5.2. This remote code execution (RCE) flaw can lead to unauthorized access and manipulation of sensitive data stored or processed by the system.
Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access and modification.
Because the vulnerability enables low-privileged users to bypass access controls and execute code remotely, it increases the risk of data exposure or alteration, thereby undermining the confidentiality and integrity requirements mandated by these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the block preview endpoint of FuelCMS with authenticated user credentials and checking for improper authorization enforcement.
A practical detection method involves logging in as any user (even one with no module permissions) and sending a crafted POST request to the endpoint `/preview?module=blocks` with a malicious payload embedded in multipart form data using Dwoo template syntax to execute PHP code.
If the server responds with the output of the executed code, it confirms the presence of the remote code execution vulnerability.
- Log in to FuelCMS with valid user credentials.
- Send a crafted POST request to `/preview?module=blocks` with a payload using Dwoo template syntax to execute PHP code.
- Observe the server response for execution output, such as reading session file contents.
What immediate steps should I take to mitigate this vulnerability?
There is no official fix available for this vulnerability as the FuelCMS master branch has not been updated for over four years and the vendor is unlikely to address it.
Immediate mitigation steps include restricting access to the FuelCMS application to trusted users only, especially limiting authenticated user accounts.
Additionally, monitoring and blocking suspicious requests to the `/preview?module=blocks` endpoint can help reduce exploitation risk.
Consider implementing network-level controls such as firewalls or web application firewalls (WAF) to detect and block malicious payloads targeting this endpoint.
If possible, disable or restrict the 'Blocks' module or the block preview functionality until a patch or update is available.