How is CVE-2026-38615 exploited?

Network reachability (required): The vulnerable component is exposed over the network; an attacker must be able to send HTTP requests to the DedeCMS instance to reach the file_manage_control.php endpoint. Authentication (not-required): No account or session credentials are needed; the attack is accessible to any unauthenticated remote party. Victim interaction (not-required): The attacker does not need to trick any user into taking an action; exploitation is fully attacker-driven. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites.

What is the impact of CVE-2026-38615?

An attacker executes arbitrary operating system commands on the host running DedeCMS, gaining the same OS-level access as the web server process. All data stored by the application, including user credentials, content, and configuration files, is readable by the attacker. The attacker can modify or delete persisted application data, database records, and files on the host filesystem. The attacker can terminate processes or exhaust host resources, taking the DedeCMS service and potentially co-hosted services offline.

Back to search

CRITICALCVE-2026-38615Published 2026-06-09Modified 2026-06-10CNA mitre

CVE-2026-38615: DedeCMS V5

DedeCMS V5.7.118 is vulnerable to Command Execution in file_manage_control.php.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A command execution vulnerability exists in DedeCMS V5.7.118, specifically in the file_manage_control.php component. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable by any remote attacker. Successful exploitation allows the attacker to execute arbitrary operating system commands on the host, leading to full confidentiality loss, data tampering, and service disruption. No fix version has been published; HarborGuard tracks the upstream advisory and will make a patched rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-38615 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication via continuous ingestion from upstream advisory feeds. Coverage extends to custom-built images that bundle DedeCMS V5.7.118, not only official upstream images.

Available

Triage

HarborGuard is capable of scoring this CVE at its CVSS v3.1 critical rating of 9.8 and weighting it against each environment's compliance policy to determine urgency. Triage routing capabilities ensure the finding is directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable component is exposed over the network; an attacker must be able to send HTTP requests to the DedeCMS instance to reach the file_manage_control.php endpoint.
AuthenticationNot required
No account or session credentials are needed; the attack is accessible to any unauthenticated remote party.
Victim interactionNot required
The attacker does not need to trick any user into taking an action; exploitation is fully attacker-driven.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites.

Blast Radius

An attacker executes arbitrary operating system commands on the host running DedeCMS, gaining the same OS-level access as the web server process.
All data stored by the application, including user credentials, content, and configuration files, is readable by the attacker.
The attacker can modify or delete persisted application data, database records, and files on the host filesystem.
The attacker can terminate processes or exhaust host resources, taking the DedeCMS service and potentially co-hosted services offline.

How HarborGuard Handles This

Available on HarborGuard: this critical-severity CVE (CVSS 9.8) is matched against all customer images continuously, including internally built images that package DedeCMS V5.7.118. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment an upstream version is published. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads, with no manual intervention required. In the interim, compensating controls worth considering include network-policy isolation to restrict inbound access to the DedeCMS instance to trusted sources only, egress filtering to limit the blast radius if a command-execution payload attempts outbound callbacks, and disabling the file management functionality via feature-flag or configuration if it is not operationally required. HarborGuard will re-alert on any advisory update, including partial or vendor-specific patches, so affected environments are not left waiting silently.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

github.com

Metrics

Get notified