CVE-2026-15533
Received Received - Intake

Code Injection in DedeCMS via Column Name Parameter

Vulnerability report for CVE-2026-15533, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: VulDB

Description

A security flaw has been discovered in DedeCMS 5.7.118. Impacted is an unknown function of the file /plus/search.php of the component Column Management. Performing a manipulation of the argument Column Name results in code injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
dede dedecms 5.7.118
dede cms 5.7.118

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Remote Code Execution (RCE) flaw found in DedeCMS version 5.7.118. It arises from a security issue in the column name cache file writing mechanism within the /plus/search.php file of the Column Management component. By manipulating the 'Column Name' argument, an attacker can inject malicious code that gets written to a cache file and executed remotely.

Impact Analysis

An attacker exploiting this vulnerability can execute arbitrary code on the affected system remotely. This can lead to a full system compromise, allowing the attacker to take control over the server running DedeCMS, potentially leading to data theft, service disruption, or further attacks within the network.

Detection Guidance

Detection of this vulnerability involves monitoring for unusual requests targeting the /plus/search.php file, specifically those manipulating the Column Name argument to inject code.

You can use network monitoring tools or web server logs to identify suspicious HTTP requests that include unexpected parameters or payloads in the Column Name argument.

For example, using command line tools like grep on your web server logs to find requests to /plus/search.php with suspicious parameters:

  • grep "/plus/search.php" /path/to/access.log | grep -i "ColumnName"

Additionally, monitoring for newly created or modified cache files related to column names might help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable /plus/search.php endpoint, especially from untrusted networks.

Applying input validation and sanitization on the Column Name argument to prevent code injection is critical.

If possible, update DedeCMS to a version where this vulnerability is patched.

As a temporary measure, monitor and block suspicious requests targeting the vulnerable component and review file system changes related to cache files.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15533. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart