Executive Summary

CVE-2026-30993 is a critical Remote Code Execution (RCE) vulnerability in Slah CMS versions 1.5.0 and below. It exists in the session() function within the config.php file, where a specific key-value input pair is processed insecurely.

If the key matches a hardcoded string ('[email protected]') and the value is not null, the function executes the value as PHP code using eval() without any validation or sandboxing. This allows an attacker to inject and run arbitrary PHP code remotely without authentication.

The vulnerability arises from improper input sanitization and the unsafe use of eval(), enabling attackers to execute system-level commands on the server hosting the CMS.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an unauthenticated remote attacker to execute arbitrary PHP code on the affected server, leading to full system compromise.

• Attackers can run system-level commands, potentially gaining control over the server.
• Sensitive data stored on the server can be accessed, modified, or deleted.
• The attacker can install malware, create backdoors, or disrupt services.
• The integrity and availability of the web application and underlying infrastructure can be severely impacted.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending crafted POST requests to the login endpoint of the Slah CMS instance and observing if arbitrary code execution occurs.

A specific detection method involves sending a POST request with the email parameter set to the hardcoded key '[email protected]' and the senha parameter containing a harmless system command such as 'system('uname -a ; uptime');'. If the system returns the output of these commands, it confirms the presence of the vulnerability.

An example command using curl to test for this vulnerability is:

• curl -X POST "https://[SUBDOMAIN].[DOMAIN].gov.br/login" -H "Content-Type: application/x-www-form-urlencoded" -b "PHPSESSID=[RANDOM_PHPSESSID]" --data "[email protected]&senha=system('uname -a ; uptime');"

Successful execution returning system information indicates the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update Slah CMS to the patched version released on 2026-01-05 that fixes this vulnerability.

The technical fix involves removing the use of eval() for dynamic code execution in the session() function and replacing it with secure alternatives such as switch-case statements or whitelist-based mappings to prevent execution of untrusted input as code.

Until the update can be applied, restrict access to the vulnerable endpoints, monitor for suspicious POST requests containing the hardcoded key '[email protected]', and consider implementing web application firewall (WAF) rules to block such exploit attempts.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated remote code execution, leading to full system compromise. This can result in unauthorized access to sensitive data managed by the Slah CMS, which is used in governmental infrastructure.

Such a compromise can lead to violations of data protection regulations like GDPR and HIPAA, as these standards require adequate security measures to protect personal and sensitive information from unauthorized access or breaches.

Failure to patch this vulnerability could result in non-compliance with these regulations due to the risk of data breaches and lack of proper security controls.

Useful 0 Not Useful 0