CVE-2026-49954
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: VulnCheck

Description
Discuz! X5.0 releases 20260320 through 20260610 contain a local file inclusion vulnerability that allows authenticated administrators to execute arbitrary code by importing a specially crafted plugin configuration containing path traversal sequences in the directory attribute. Attackers can trigger an exception during plugin installation to bypass sanitization routines, causing malicious paths to be stored unsanitized and subsequently passed to include(), which combined with file upload functionality escalates to arbitrary code execution in the context of the web server user.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-49954
EUVD
EUVD-2026-36794
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
discuz discuz From 20260320 (inc) to 20260610 (inc)
discuz discuz x3.4
discuz discuz x3.5
comsenz discuz! From 20260320 (inc) to 20260501 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49954 is a local file inclusion (LFI) vulnerability in Discuz! X5.0 versions released between 20260320 and 20260610. It affects the plugin management functionality, specifically during plugin installation.

Authenticated administrators can exploit this flaw by importing a specially crafted plugin configuration file containing path traversal sequences in the directory attribute. When an exception is triggered during plugin installation, it bypasses sanitization routines, causing malicious paths to be stored without proper validation.

These unsanitized paths are later passed to PHP's include() function, enabling arbitrary code execution in the context of the web server user. The attack combines this file inclusion flaw with file upload functionality to escalate to full system compromise.

Impact Analysis

This vulnerability can have severe impacts including arbitrary code execution on the web server hosting Discuz! X5.0.

An attacker with administrator privileges can exploit this flaw to execute malicious code, potentially leading to full system compromise.

This could result in unauthorized access, data theft, service disruption, or further exploitation of the affected system.

Detection Guidance

Detection of this vulnerability involves checking for the presence of Discuz! X5.0 versions between 20260320 and 20260610 and monitoring for suspicious plugin installation activities that may include path traversal sequences in plugin configuration files.

Since the vulnerability is exploited by importing specially crafted plugin configurations with directory traversal sequences, you can look for unusual or malformed plugin configuration files or logs indicating exceptions during plugin installation.

Commands to assist detection might include searching the web server or application directories for plugin configuration files containing path traversal patterns such as "../" sequences.

  • grep -r '\.\./' /path/to/discuz/plugins/
  • grep -r 'directory=' /path/to/discuz/plugins/ | grep '\.\./'

Additionally, reviewing web server logs for errors or exceptions during plugin installation or unusual include() calls may help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include restricting administrator access to trusted users only, as exploitation requires authenticated administrator privileges.

Avoid importing or installing any untrusted or suspicious plugins, especially those with unusual directory attributes.

Monitor and audit plugin installation activities closely to detect any attempts to exploit the vulnerability.

Since no official patch is currently available, consider disabling the plugin installation functionality temporarily if possible.

Implement additional web application firewall (WAF) rules to detect and block path traversal sequences in plugin-related requests.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49954. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart