Cyber Posture

CVE-2026-5333

HighPublic PoC

Published: 02 April 2026

Published
02 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0025 48.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A security flaw has been discovered in DefaultFuction Content-Management-System 1.0. This issue affects some unknown processing of the file /admin/tools.php. The manipulation of the argument host results in command injection. The attack can be executed remotely. The exploit has been…

more

released to the public and may be used for attacks.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and correction of the specific command injection flaw in /admin/tools.php of DefaultFuction CMS 1.0.

SI-10 Information Input Validation good match
prevent

Directly validates and sanitizes the 'host' argument to prevent injection of arbitrary commands.

AC-3 Access Enforcement good match
prevent

Enforces logical access controls to block unauthorized remote access to the vulnerable /admin/tools.php endpoint.

Security SummaryAI

CVE-2026-5333 is a command injection vulnerability (CWE-74, CWE-77) in DefaultFuction Content-Management-System version 1.0. The issue affects processing in the /admin/tools.php file, where manipulation of the 'host' argument enables command injection. Published on 2026-04-02, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and low barriers to exploitation.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low attack complexity. Successful exploitation allows injection and execution of arbitrary commands on the affected system, potentially leading to limited impacts on confidentiality, integrity, and availability, such as data leakage, modification, or service disruption. A public exploit has been released, heightening the risk of active attacks.

Advisories and details are documented in the project's GitHub repository (https://github.com/DefaultFuction/Content-Management-System/) and related issues (https://github.com/DefaultFuction/Content-Management-System/issues/1, https://github.com/DefaultFuction/Content-Management-System/issues/1#issue-4082558620). Further entries appear on VulDB (https://vuldb.com/submit/780849, https://vuldb.com/vuln/354667), though specific patch or mitigation guidance is not detailed in available references.

The public availability of an exploit underscores immediate risks for deployments of this CMS, warranting urgent review and potential isolation of exposed /admin/tools.php endpoints.

Details

CWE(s)
CWE-74CWE-77

Affected Products

defaultfuction
content management system
1.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Command injection in a public-facing web application (/admin/tools.php) enables T1190 (Exploit Public-Facing Application) for initial access. Successful exploitation allows arbitrary OS command execution, directly facilitating T1059.004 (Unix Shell) on the server.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References