SQL Injection Vulnerability in DedeCMS 5.7.88 by DedeCMS
CVE-2026-10608

6.9MEDIUM

Key Information:

Vendor

DedeCMS

Status
Dedecms
Vendor
CVE Published:
2 June 2026

What is CVE-2026-10608?

A security flaw exists in DedeCMS 5.7.88 linked to the RemoveXSS function located in the /plus/carbuyaction.php file. This vulnerability allows for SQL injection through the manipulation of the postname/des argument, enabling remote attackers to execute arbitrary SQL queries. The exploit has been publicized, raising significant concerns for users and administrators of the affected version of DedeCMS.

Affected Version(s)

DedeCMS 5.7.88

References

https://vuldb.com/vuln/367915
vdb-entrytechnical-description
https://vuldb.com/vuln/367915/cti
signaturepermissions-required
https://vuldb.com/cve/CVE-2026-10608
third-party-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

R21Z20 (VulDB User)
VulDB Vulnerability Moderation Team
.