How is CVE-2026-10071 exploited?

Network reachability (required): The attacker must be able to reach the DreamMaker HTTP endpoint over the network (AV:N). Authentication (not-required): No credentials or session are needed; the upload endpoint accepts anonymous requests (PR:N). Victim interaction (not-required): Exploitation is driven entirely by the attacker's request, with no user action required (UI:N). Attack complexity (info): Attack complexity is low: the upload-and-execute flow is reliable and does not depend on timing or environmental conditions (AC:L).

What is the impact of CVE-2026-10071?

Writes attacker-controlled files (typically a JSP or other web shell) into a server-executed path, yielding arbitrary command execution as the DreamMaker process. Reads any data the application process can access, including configuration files, database credentials, and stored customer records. Modifies or deletes files and database rows reachable from the compromised process, enabling tampering and persistence. Disrupts service availability by killing the application, corrupting data, or using the host as a pivot into adjacent internal systems.

Back to search

CRITICALCVE-2026-10071Published 2026-05-29Modified 2026-05-29CNA twcert

CVE-2026-10071: Interinfo｜DreamMaker - Arbitrary File Upload

DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an arbitrary file upload vulnerability in Interinfo DreamMaker that lets unauthenticated attackers write web shell files into a location where the server will execute them. The bug is reachable over the network without any login or user interaction, so an attacker who can connect to the application can upload a backdoor and run arbitrary commands as the server process. No fix has been published; HarborGuard tracks the advisory and will surface a patched-image rebuild as soon as the vendor ships one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against DreamMaker images in customer registries and CI pipelines, including custom-built images derived from affected Java Composer 2.2 or earlier builds.

Available

Triage

Triage is available with the published CVSS v4.0 score of 9.3 (Critical) as the baseline, then re-weighted per environment using each customer org's compliance policy before the finding is routed to the inbox or ticket queue that owns the affected workload.

Available

Patch

No upstream fix exists yet, so a patched-image rebuild cannot be produced today. HarborGuard re-checks the Interinfo advisory each ingest cycle and will make a rebuilt image at the fixed version available the moment the vendor publishes one; auto-remediation customers will then automatically receive a rebuild, regression-test run, and PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the DreamMaker HTTP endpoint over the network (AV:N).
AuthenticationNot required
No credentials or session are needed; the upload endpoint accepts anonymous requests (PR:N).
Victim interactionNot required
Exploitation is driven entirely by the attacker's request, with no user action required (UI:N).
Attack complexityDetail
Attack complexity is low: the upload-and-execute flow is reliable and does not depend on timing or environmental conditions (AC:L).

Blast Radius

Writes attacker-controlled files (typically a JSP or other web shell) into a server-executed path, yielding arbitrary command execution as the DreamMaker process.
Reads any data the application process can access, including configuration files, database credentials, and stored customer records.
Modifies or deletes files and database rows reachable from the compromised process, enabling tampering and persistence.
Disrupts service availability by killing the application, corrupting data, or using the host as a pivot into adjacent internal systems.

How HarborGuard Handles This

Available on HarborGuard: continuous matching of DreamMaker images (Java Composer 2.2 and earlier) against this advisory, plus alerting routed by each customer org's compliance policy. Because Interinfo has not published a fixed version, no rebuild can be produced yet; HarborGuard re-checks the advisory each ingest cycle and a patched-image rebuild will be made available automatically once the vendor ships a fix, with auto-remediation environments receiving a rebuild, regression run, and PR against affected workloads at that point. In the meantime, recommended compensating controls include restricting network exposure of the DreamMaker endpoint via network policy or VPN-only access, adding a WAF rule or reverse-proxy filter to block multipart uploads to unauthenticated paths, enforcing read-only or non-executable mounts on upload directories, and tightening egress filtering so a successful web shell cannot easily call out.

See how HarborGuard automates this

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

Interinfo / DreamMaker
≤ Java Composer 2.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References