CVE-2026-29839 in DedeCMS
Summary
by MITRE • 03/24/2026
DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability in /sys_task_add.php.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/28/2026
The vulnerability identified as CVE-2026-29839 affects DedeCMS version 5.7.118 and resides within the /sys_task_add.php component of the content management system. This represents a critical security flaw that allows attackers to execute unauthorized administrative actions on vulnerable systems. The issue manifests as a cross-site request forgery vulnerability, which enables malicious actors to trick authenticated users into performing unintended operations without their knowledge or consent. Such vulnerabilities are particularly dangerous in CMS environments where administrative functions are accessible to authenticated users with elevated privileges.
The technical nature of this CSRF flaw stems from the absence of proper anti-forgery tokens or validation mechanisms within the system task addition functionality. When users navigate to the system task creation page, the application fails to implement adequate protection against cross-site request forgery attacks. This allows attackers to craft malicious requests that can be executed on behalf of authenticated administrators, potentially leading to unauthorized system modifications, data manipulation, or privilege escalation. The vulnerability specifically impacts the system task addition functionality, which typically handles administrative operations such as scheduling automated tasks, modifying system configurations, or managing background processes.
The operational impact of this vulnerability extends beyond simple data corruption or unauthorized access. Attackers could leverage this flaw to create persistent backdoors, modify critical system configurations, or execute arbitrary commands within the CMS environment. In a typical exploitation scenario, an attacker would need to convince a legitimate administrator to visit a malicious website containing crafted requests that target the vulnerable /sys_task_add.php endpoint. The consequences could include complete system compromise, data loss, or unauthorized access to sensitive information stored within the CMS. This vulnerability directly violates security principles established in the OWASP Top Ten and aligns with CWE-352, which specifically addresses cross-site request forgery flaws. The attack vector enables threat actors to exploit the trust relationship between the web application and its authenticated users, making it particularly challenging to detect and prevent.
Organizations utilizing DedeCMS v5.7.118 should immediately implement mitigations including the application of the latest security patches released by the vendor, implementation of proper anti-forgery token validation mechanisms, and enforcement of strict input validation for all administrative endpoints. System administrators should also consider implementing web application firewalls to detect and block suspicious requests targeting vulnerable endpoints. The remediation process should involve thorough security testing of all administrative interfaces to ensure proper CSRF protection mechanisms are in place. Additionally, security teams should conduct regular vulnerability assessments and maintain up-to-date threat intelligence to identify similar vulnerabilities across their entire technology stack. This vulnerability demonstrates the critical importance of maintaining current security practices and implementing defense-in-depth strategies to protect against authenticated attack vectors. The exploitation of such flaws can result in significant business disruption and regulatory compliance issues, making prompt remediation essential for maintaining system integrity and user trust.