PatchSiren cyber security CVE debrief
CVE-2026-49954 Discuz! CVE debrief
CVE-2026-49954 is a HIGH severity vulnerability in Discuz! X5.0 that allows authenticated administrators to execute arbitrary code via a local file inclusion (LFI) vulnerability. The vulnerability affects Discuz! X5.0 releases from 20260320 through 20260610. Attackers can exploit this vulnerability by importing a specially crafted plugin configuration containing path traversal sequences in the directory attribute, which can trigger an exception during plugin installation and bypass sanitization routines. This can cause malicious paths to be stored unsanitized and subsequently passed to include(), leading to arbitrary code execution in the context of the web server user.
- Vendor
- Discuz!
- Product
- Discuz! X5.0
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Administrators and users of Discuz! X5.0, especially those with administrative privileges, should be aware of this vulnerability and take immediate action to mitigate the risk.
Technical summary
The vulnerability is caused by a local file inclusion (LFI) vulnerability in Discuz! X5.0 that allows authenticated administrators to execute arbitrary code. The vulnerability is triggered by importing a specially crafted plugin configuration containing path traversal sequences in the directory attribute.
Defensive priority
HIGH
Recommended defensive actions
- Update Discuz! X5.0 to a version outside of the affected range (20260320 through 20260610).
- Restrict access to the plugin configuration and directory attributes to prevent unauthorized modifications.
- Implement additional security measures, such as input validation and sanitization, to prevent similar vulnerabilities.
Evidence notes
The vulnerability was reported by Karmainsecurity and documented in the NVD database.
Official resources
CVE-2026-49954 was published on 2026-06-15T20:16:29.420Z and modified on 2026-06-15T21:17:23.090Z.