PatchSiren cyber security CVE debrief
CVE-2026-49953 Discuz! CVE debrief
CVE-2026-49953 is a CAPTCHA bypass vulnerability in Discuz! X5.0 releases from 20260320 to 20260610. The vulnerability allows unauthenticated remote attackers to bypass challenge controls by exploiting the limited complexity and predictable character sets in generated CAPTCHA images. Attackers can train a custom optical character recognition model against collected CAPTCHA samples to reliably predict challenge text, bypassing protections on login, registration, and other functionality from automated abuse.
- Vendor
- Discuz!
- Product
- Discuz! X5.0
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of Discuz! X5.0 releases from 20260320 to 20260610 should apply patches or mitigations to prevent CAPTCHA bypass attacks.
Technical summary
The vulnerability has a CVSS score of 6.9 and is classified as MEDIUM severity. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply patches or updates to Discuz! X5.0 releases from 20260320 to 20260610.
- Implement additional security measures to prevent automated abuse, such as IP blocking or rate limiting.
Evidence notes
The vulnerability was reported by Karmainsecurity and is tracked under CVE-2026-49953.
Official resources
CVE-2026-49953 was published on 2026-06-15T20:16:29.260Z and modified on 2026-06-15T21:17:22.980Z.