CVE-2026-30457
Published: 26 March 2026
Description
An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to execute arbitrary code via crafted PHP code.
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly mitigating CVE-2026-30457 by patching the code injection vulnerability in the FuelCMS Dwoo parser component.
SI-10 enforces information input validation, preventing attackers from executing arbitrary PHP code via crafted inputs to the vulnerable Dwoo parser.
RA-5 provides vulnerability monitoring and scanning to identify systems affected by CVE-2026-30457 in FuelCMS v1.5.2.
Security SummaryAI
CVE-2026-30457 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in the /parser/dwoo component of Daylight Studio FuelCMS version 1.5.2. Published on 2026-03-26T19:16:59.900, it stems from CWE-94 (code injection) and enables attackers to execute arbitrary code via crafted PHP code.
Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, authentication, or user interaction. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, allowing full remote code execution on affected systems.
Advisories and related resources, including vendor sites at http://daylight.com and http://fuelcms.com, the FuelCMS GitHub repository at https://github.com/daylightstudio/FUEL-CMS/tree/master/fuel/modules/fuel/libraries/parser/dwoo, and a pentest report at https://pentest-tools.com/PTT-2025-026-PHP-Code-Execution-Via-Dwoo-Escape.pdf, provide further details on the issue.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-30457 enables remote code execution via code injection in a public-facing web application component (FuelCMS parser/dwoo), directly facilitating T1190: Exploit Public-Facing Application.