Server-Side Request Forgery Vulnerability in DedeCMS 5.7.88
CVE-2026-10581

5.3MEDIUM

Key Information:

Vendor

DedeCMS

Status
Dedecms
Vendor
CVE Published:
2 June 2026

What is CVE-2026-10581?

A security flaw has been discovered in DedeCMS 5.7.88 that leverages an improper handling of input within the function base64_decode located in the file /plus/download.php?open=1. This vulnerability allows a malicious actor to perform a server-side request forgery (SSRF) by manipulating the Link argument, potentially leading to unauthorized access to internal resources or sensitive information on the server. With evidence of exploit availability, immediate remediation measures should be considered to safeguard web applications utilizing this CMS.

Affected Version(s)

DedeCMS 5.7.88

References

https://vuldb.com/vuln/367676
vdb-entrytechnical-description
https://vuldb.com/vuln/367676/cti
signaturepermissions-required
https://vuldb.com/cve/CVE-2026-10581
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

R21Z20 (VulDB User)
VulDB Vulnerability Moderation Team
.