CVE-2026-30993
Published: 15 April 2026
Description
Slah CMS v1.5.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the session() function at config.php. This vulnerability is exploitable via a crafted input.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the RCE vulnerability by requiring timely identification, reporting, and correction of the code injection flaw in the Slah CMS session() function.
Prevents exploitation of the vulnerability by enforcing input validation mechanisms at entry points like the crafted inputs to config.php's session() function.
Identifies the specific RCE vulnerability in Slah CMS through regular vulnerability scanning and drives its remediation to prevent exploitation.
Security SummaryAI
Slah CMS versions 1.5.0 and below contain a remote code execution (RCE) vulnerability in the session() function within config.php. This flaw, identified as CWE-94 (code injection), allows exploitation through crafted input and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for complete system compromise.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation enables arbitrary code execution on the affected server, granting high-impact access to confidentiality, integrity, and availability, potentially leading to full server control.
Mitigation details and further advisories are referenced in sources such as https://cve.joaopaulodeoliveira.dev/cve.php/published/CVE-2026-30993 and https://cve.joaopaulodeoliveira.dev/cve.php/reserved/slah-informatica-eval-injection-rce, published on 2026-04-15.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated remote code execution in a public-facing web application (CMS), directly enabling exploitation of public-facing applications.