CVE-2026-30993
Remote Code Execution in Slah CMS session() Function
Publication date: 2026-04-15
Last updated on: 2026-04-16
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| slah_cms | slah_cms | to 1.5.0 (exc) |
| slah_informatica | slah_cms | to 1.5.0 (inc) |
| slah_informatica | slah_cms | to 1.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30993 is a critical Remote Code Execution (RCE) vulnerability in Slah CMS versions 1.5.0 and below. It exists in the session() function within the config.php file, where a specific key-value input pair is processed insecurely.
If the key matches a hardcoded string ('[email protected]') and the value is not null, the function executes the value as PHP code using eval() without any validation or sandboxing. This allows an attacker to inject and run arbitrary PHP code remotely without authentication.
The vulnerability arises from improper input sanitization and the unsafe use of eval(), enabling attackers to execute system-level commands on the server hosting the CMS.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated remote attacker to execute arbitrary PHP code on the affected server, leading to full system compromise.
- Attackers can run system-level commands, potentially gaining control over the server.
- Sensitive data stored on the server can be accessed, modified, or deleted.
- The attacker can install malware, create backdoors, or disrupt services.
- The integrity and availability of the web application and underlying infrastructure can be severely impacted.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted POST requests to the login endpoint of the Slah CMS instance and observing if arbitrary code execution occurs.
A specific detection method involves sending a POST request with the email parameter set to the hardcoded key '[emailΒ protected]' and the senha parameter containing a harmless system command such as 'system('uname -a ; uptime');'. If the system returns the output of these commands, it confirms the presence of the vulnerability.
An example command using curl to test for this vulnerability is:
- curl -X POST "https://[SUBDOMAIN].[DOMAIN].gov.br/login" -H "Content-Type: application/x-www-form-urlencoded" -b "PHPSESSID=[RANDOM_PHPSESSID]" --data "[emailΒ protected]&senha=system('uname -a ; uptime');"
Successful execution returning system information indicates the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update Slah CMS to the patched version released on 2026-01-05 that fixes this vulnerability.
The technical fix involves removing the use of eval() for dynamic code execution in the session() function and replacing it with secure alternatives such as switch-case statements or whitelist-based mappings to prevent execution of untrusted input as code.
Until the update can be applied, restrict access to the vulnerable endpoints, monitor for suspicious POST requests containing the hardcoded key '[emailΒ protected]', and consider implementing web application firewall (WAF) rules to block such exploit attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated remote code execution, leading to full system compromise. This can result in unauthorized access to sensitive data managed by the Slah CMS, which is used in governmental infrastructure.
Such a compromise can lead to violations of data protection regulations like GDPR and HIPAA, as these standards require adequate security measures to protect personal and sensitive information from unauthorized access or breaches.
Failure to patch this vulnerability could result in non-compliance with these regulations due to the risk of data breaches and lack of proper security controls.