HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-49954Published Modified CNA VulnCheck

CVE-2026-49954: Discuz! X5.0 Local File Inclusion via enable_disable.php Plugin Directory

Discuz! X5.0 releases 20260320 through 20260610 contain a local file inclusion vulnerability that allows authenticated administrators to execute arbitrary code by importing a specially crafted plugin configuration containing path traversal sequences in the directory attribute. Attackers can trigger an exception during plugin installation to bypass sanitization routines, causing malicious paths to be stored unsanitized and subsequently passed to include(), which combined with file upload functionality escalates to arbitrary code execution in the context of the web server user.

Metrics

CVSS v4.0
8.6
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Local file inclusion (LFI) vulnerability in Discuz! X5.0 (releases 20260320 through 20260610) lets an authenticated administrator execute arbitrary code on the server. The attack is reachable over the network but requires a valid admin account; the attacker imports a crafted plugin configuration containing path traversal sequences, triggers an exception to bypass sanitization, and causes a malicious path to be stored unsanitized and passed to PHP's include() function. Combined with file upload functionality, this escalates to arbitrary code execution running as the web server user. HarborGuard is tracking this advisory for patch availability, as no fix version has been published upstream.

HarborGuard Coverage

Detection

Detection of CVE-2026-49954 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Discuz! X5.0 components. Any image whose manifest or installed package inventory includes an affected release is flagged automatically.

Available
Triage

Triage is available with the CVSS v4.0 score of 8.6 (HIGH), weighted against each customer organization's compliance policy to determine urgency and routing. Findings are routed to the inbox configured for the affected workload's owner within each customer environment.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version is released. In the interim, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation of the Discuz! service and egress filtering to limit blast radius if the vulnerability is triggered.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the Discuz! web service via HTTP/HTTPS.

  • AuthenticationRequired

    A valid administrator account is required; any lower-privilege account is insufficient because the plugin import functionality is restricted to admin users.

  • Victim interactionNot required

    No victim action is needed; the attacker initiates the full exploit chain autonomously after authenticating.

  • Attack complexityDetail

    Exploitation is reliable and condition-free once admin credentials are obtained; the exception-triggering bypass is deterministic and does not depend on race conditions or environmental factors.

Blast Radius

  • Reads arbitrary files from the server filesystem accessible to the web server user, including configuration files containing database credentials and secret keys.
  • Executes arbitrary PHP code in the context of the web server user, enabling full control of the application runtime.
  • Modifies application data, session stores, or persisted database rows through the code execution primitive.
  • Crashes or destabilizes the web server process if the attacker chooses to disrupt availability.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of this advisory across every ingest cycle so that a patched-image rebuild is published automatically the moment Discuz! ships a fix version. Until then, customers can use HarborGuard's network-policy isolation controls to restrict inbound access to the plugin import endpoint, apply egress filtering to limit what an exploited web server process can reach, and use feature-flag gating to disable plugin installation in production environments where it is not operationally required. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered immediately upon upstream patch availability, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues in those environments.

See how HarborGuard automates this
Affected packages
  • Discuz! / Discuz! X5.0
    ≤ 20260610
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References