CVE-2026-10071
Arbitrary File Upload in DreamMaker
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: TWCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| interinfo | dreammaker | to 2.3 (exc) |
| interinfo | dreammaker | From 2.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10071 is a critical Arbitrary File Upload vulnerability in DreamMaker's Java Composer software versions 2.2 and earlier.
This vulnerability allows unauthenticated remote attackers to upload and execute web shell backdoors on the affected server.
By exploiting this flaw, attackers can execute arbitrary code on the server, potentially taking full control of it.
How can this vulnerability impact me? :
The vulnerability can have severe impacts including unauthorized remote code execution on your server.
- Attackers can upload malicious web shells to the server.
- This can lead to full compromise of the server, data theft, service disruption, or further attacks within the network.
- Since the attack requires no authentication, it poses a high risk to any exposed DreamMaker Java Composer installations version 2.2 or earlier.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-10071 vulnerability in DreamMaker's Java Composer software, users should update to Java Composer version 2.3 or later.