CVE-2026-30694
Published: 19 March 2026
Description
An issue in DedeCMS v.5.7.118 and before allows a remote attacker to execute arbitrary code via the array_filter component
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely patching and remediation of the code injection flaw in DedeCMS array_filter component to eliminate arbitrary code execution risk.
Enforces input validation at the vulnerable array_filter entry point to reject malicious payloads that enable code injection.
Provides vulnerability scanning to identify the presence of CVE-2026-30694 in DedeCMS installations, enabling proactive remediation.
Security SummaryAI
CVE-2026-30694 is a code injection vulnerability (CWE-94) affecting DedeCMS versions 5.7.118 and earlier, specifically in the array_filter component. Published on 2026-03-19, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for remote arbitrary code execution.
Any unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation allows the attacker to achieve high-impact effects on confidentiality, integrity, and availability, potentially leading to full compromise of the affected DedeCMS instance through execution of arbitrary code.
Advisories and further details on exploitation or mitigation are documented in references including https://jacobjacobjacob.gitbook.io/cve-2026-30694/ and https://leixyous-personal-organization.gitbook.io/dedecms-file-manage-getshell-via-bypass-blacklist/.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-30694 is a critical remote code execution vulnerability in a public-facing web application (DedeCMS), directly enabling exploitation of public-facing applications for initial access.