CVE-2026-15700 in DedeCMSinfo

Summary

by MITRE • 07/14/2026

A security flaw has been discovered in DedeCMS 5.7.118. Affected by this vulnerability is the function ExtractFile of the file include/zip.class.php of the component Album Publishing Feature. The manipulation of the argument filename results in path traversal. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/14/2026

The security vulnerability identified in DedeCMS 5.7.118 represents a critical path traversal flaw within the Album Publishing Feature component, specifically affecting the ExtractFile function in include/zip.class.php. This vulnerability stems from insufficient input validation and sanitization of the filename argument, creating an exploitable condition that allows attackers to manipulate file paths through crafted input parameters. The flaw exists at the core of how the system processes archive extraction operations, where user-supplied filenames are directly incorporated into file system operations without proper boundary checking or normalization.

The technical implementation of this vulnerability enables remote code execution through path traversal attacks, allowing malicious actors to access, modify, or delete files outside the intended directory structure. When an attacker supplies a specially crafted filename parameter containing directory traversal sequences such as ../ or ..\, the ExtractFile function fails to properly validate these inputs, resulting in unauthorized file system access. This flaw operates at the application layer and can be exploited through web-based interfaces where users upload or process archive files, making it particularly dangerous in content management systems that handle user-generated content.

The operational impact of this vulnerability extends beyond simple data exposure, as it provides attackers with potential access to sensitive system files, configuration data, and potentially full system compromise. The public availability of exploits for this vulnerability significantly increases the risk profile, enabling automated attacks against unpatched installations without requiring advanced technical skills. Organizations running DedeCMS 5.7.118 are particularly vulnerable due to the widespread adoption of this content management system in web publishing environments where file upload functionality is commonly utilized.

Security mitigations for this vulnerability should include immediate patching of the affected DedeCMS version, implementing input validation and sanitization measures for all user-supplied filename parameters, and deploying web application firewalls with rules specifically targeting path traversal patterns. Organizations should also conduct comprehensive security assessments to identify other potential vulnerabilities in their DedeCMS installations, particularly focusing on file upload and archive processing functionalities. The vulnerability aligns with CWE-22 Path Traversal and can be mapped to ATT&CK technique T1059 Command and Scripting Interpreter, as it enables attackers to execute arbitrary commands through manipulated file paths that may ultimately lead to system command execution. Additionally, implementing principle of least privilege for web application accounts and restricting write permissions on critical system directories can significantly reduce the potential impact of successful exploitation attempts.

Responsible

VulDB

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!