CVE-2026-5248
Received Received - Intake
Object Attribute Injection in Gougucms 4.08.18 User Registration

Publication date: 2026-04-01

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in gougucms 4.08.18. This affects the function reg_submit of the file gougucms-master\app\home\controller\Login.php of the component User Registration Handler. Such manipulation of the argument level leads to dynamically-determined object attributes. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5248
EUVD
EUVD-2026-17747
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
thinhneee gougu_cms 4.08.18
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-913 The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5248 is a Mass Assignment vulnerability found in Gougu CMS version 4.08.18, specifically in the user registration process at the /home/login/reg endpoint.

The vulnerability exists in the reg_submit function of the Login.php file, where parameters from the HTTP request are inserted into the database without proper filtering.

Although a validation function is called, it only checks for data type correctness or whether fields are empty, failing to restrict which parameters can be assigned.

An attacker can exploit this by injecting the 'level' parameter during registration, which allows them to escalate privileges and create VIP-level user accounts without authentication.

Impact Analysis

This vulnerability allows an unauthenticated attacker to escalate their privileges by injecting the 'level' parameter during user registration.

As a result, the attacker can create VIP-level user accounts, gaining unauthorized access to VIP-only assets and functionalities.

This can lead to confidentiality breaches by exposing sensitive information or restricted features to unauthorized users.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the user registration endpoint, specifically looking for the presence of the 'level' parameter in registration requests to /home/login/reg.

One way to detect exploitation attempts is to capture and inspect HTTP traffic using tools like tcpdump or Wireshark, filtering for POST requests to the registration endpoint.

Example commands to detect suspicious requests include:

  • Using tcpdump to capture HTTP POST requests to the registration endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /home/login/reg'
  • Using grep on web server logs to find requests containing the 'level' parameter: grep 'level=' /var/log/apache2/access.log

Additionally, web application firewalls (WAFs) can be configured to alert on or block requests containing unexpected parameters like 'level' during registration.

Mitigation Strategies

Immediate mitigation steps include restricting or validating input parameters on the user registration endpoint to prevent unauthorized assignment of sensitive fields like 'level'.

Specifically, the application should implement a whitelist of allowed parameters during registration and reject or ignore any unexpected parameters.

If possible, apply patches or updates from the vendor; however, in this case, the vendor has not responded.

Other steps include:

  • Implement web application firewall (WAF) rules to block or alert on requests containing the 'level' parameter in registration.
  • Monitor logs for suspicious registration attempts and disable accounts created with unauthorized privilege levels.
  • Restrict access to sensitive resources based on roles and privileges, assuming some accounts may have been compromised.
Compliance Impact

The vulnerability allows an attacker to escalate privileges by injecting the 'level' parameter during user registration, enabling unauthorized creation of VIP-level accounts. This unauthorized access to privileged user functionalities can lead to exposure or misuse of sensitive data.

Such unauthorized privilege escalation and potential data exposure can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5248. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart