PatchSiren cyber security CVE debrief
CVE-2026-10072 Interinfo CVE debrief
## Summary CVE-2026-10072 documents an arbitrary file upload vulnerability in DreamMaker, a product developed by Interinfo. The flaw allows privileged remote attackers to upload and execute web shell backdoors, resulting in arbitrary code execution on the affected server. The vulnerability is classified as HIGH severity with a CVSS 4.0 score of 8.6. The issue was published to the NVD on 2026-05-29 and carries a status of 'Deferred,' indicating that analysis or remediation details may still be pending. The weakness is categorized as CWE-434 (Unrestricted Upload of File with Dangerous Type).
- Vendor
- Interinfo
- Product
- DreamMaker
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running DreamMaker software developed by Interinfo, particularly those exposing file upload functionality to privileged users. Security teams responsible for web application security, incident response personnel monitoring for web shell activity, and system administrators managing DreamMaker deployments should prioritize assessment and hardening efforts.
Technical summary
The vulnerability exists in DreamMaker's file upload mechanism, which fails to adequately validate or restrict uploaded file types. An attacker with elevated privileges can exploit this weakness to upload malicious files—specifically web shells—to the server. Once uploaded, these files can be accessed and executed via HTTP requests, granting the attacker arbitrary code execution capabilities on the underlying server. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) indicates network attack vector, low attack complexity, no attack requirements, high privileges required, no user interaction, and high impacts to confidentiality, integrity, and availability of the vulnerable system. The scope is unchanged, with no subsequent impacts to security properties of dependent resources.
Defensive priority
HIGH
Recommended defensive actions
- Review and restrict file upload functionality in DreamMaker implementations, enforcing strict allowlists for file types and scanning uploaded content for executable code.
- Implement server-side validation to ensure uploaded files cannot be executed as scripts in web-accessible directories.
- Apply principle of least privilege to user accounts with upload capabilities, limiting the attack surface for privileged exploitation.
- Monitor for and remove unauthorized web shells or suspicious files in upload directories.
- Await vendor security advisory from Interinfo or TWCERT for official patch availability and deployment guidance.
Evidence notes
The vulnerability description and CVSS vector are sourced from the official NVD record. The weakness classification (CWE-434) is attributed to [email protected]. The vendor field in the source data is marked as 'Unknown Vendor' with low confidence and flagged for review, though the description explicitly identifies 'Interinfo' as the developer of DreamMaker. Two reference URLs from Taiwan's CERT (TWCERT) are provided but were not fully ingested for detailed technical content. The NVD status 'Deferred' suggests the entry may be awaiting additional analysis or vendor coordination.
Official resources
2026-05-29