CVE-2026-49954
Deferred Deferred - Pending Action

Authenticated LFI in Discuz! X5.0 via Plugin Path Traversal

Vulnerability report for CVE-2026-49954, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-16

Assigner: VulnCheck

Description

Discuz! X5.0 releases 20260320 through 20260610 contain a local file inclusion vulnerability that allows authenticated administrators to execute arbitrary code by importing a specially crafted plugin configuration containing path traversal sequences in the directory attribute. Attackers can trigger an exception during plugin installation to bypass sanitization routines, causing malicious paths to be stored unsanitized and subsequently passed to include(), which combined with file upload functionality escalates to arbitrary code execution in the context of the web server user.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-15
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
discuz discuz From 20260320 (inc) to 20260610 (inc)
discuz discuz x3.4
discuz discuz x3.5
comsenz discuz! From 20260320 (inc) to 20260501 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-49954 is a local file inclusion (LFI) vulnerability in Discuz! X5.0 versions released between 20260320 and 20260610. It affects the plugin management functionality, specifically during plugin installation.

Authenticated administrators can exploit this flaw by importing a specially crafted plugin configuration file containing path traversal sequences in the directory attribute. When an exception is triggered during plugin installation, it bypasses sanitization routines, causing malicious paths to be stored without proper validation.

These unsanitized paths are later passed to PHP's include() function, enabling arbitrary code execution in the context of the web server user. The attack combines this file inclusion flaw with file upload functionality to escalate to full system compromise.

Impact Analysis

This vulnerability can have severe impacts including arbitrary code execution on the web server hosting Discuz! X5.0.

An attacker with administrator privileges can exploit this flaw to execute malicious code, potentially leading to full system compromise.

This could result in unauthorized access, data theft, service disruption, or further exploitation of the affected system.

Detection Guidance

Detection of this vulnerability involves checking for the presence of Discuz! X5.0 versions between 20260320 and 20260610 and monitoring for suspicious plugin installation activities that may include path traversal sequences in plugin configuration files.

Since the vulnerability is exploited by importing specially crafted plugin configurations with directory traversal sequences, you can look for unusual or malformed plugin configuration files or logs indicating exceptions during plugin installation.

Commands to assist detection might include searching the web server or application directories for plugin configuration files containing path traversal patterns such as "../" sequences.

  • grep -r '\.\./' /path/to/discuz/plugins/
  • grep -r 'directory=' /path/to/discuz/plugins/ | grep '\.\./'

Additionally, reviewing web server logs for errors or exceptions during plugin installation or unusual include() calls may help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include restricting administrator access to trusted users only, as exploitation requires authenticated administrator privileges.

Avoid importing or installing any untrusted or suspicious plugins, especially those with unusual directory attributes.

Monitor and audit plugin installation activities closely to detect any attempts to exploit the vulnerability.

Since no official patch is currently available, consider disabling the plugin installation functionality temporarily if possible.

Implement additional web application firewall (WAF) rules to detect and block path traversal sequences in plugin-related requests.

Compliance Impact

The vulnerability allows authenticated administrators to execute arbitrary code on the web server, potentially leading to unauthorized access, data breaches, or system compromise.

Such unauthorized access and potential data breaches could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure system operations.

However, the provided information does not explicitly describe the direct effects on compliance or specific regulatory impacts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49954. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart