CVE-2026-10072: DreamMaker Arbitrary File Upload RCE Vulnerability
DreamMaker, a product developed by Interinfo, contains a vulnerability that allows attackers with privileged access to upload arbitrary files to the server. An attacker exploiting this flaw could upload malicious web shells, gaining the ability to execute code and maintain persistent access to the affected system. The vulnerability requires the attacker to have elevated credentials, but once leveraged, it provides complete control over server operations.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-434
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10072 is an arbitrary file upload vulnerability (CWE-434) in DreamMaker that fails to properly validate or restrict file uploads from authenticated users with elevated privileges. The vulnerability permits remote code execution through the injection of web shell backdoors. The CVSS 3.1 score of 7.2 (HIGH) reflects high impact across confidentiality, integrity, and availability, though exploitation requires privileged access (PR:H) and occurs over the network without user interaction (AV:N/AC:L/UI:N).
Business impact
Successful exploitation could result in unauthorized code execution, data theft, system compromise, and persistent attacker presence within your infrastructure. For organizations relying on DreamMaker, this represents a direct path to post-authentication privilege escalation and lateral movement. The risk is particularly acute if DreamMaker is internet-facing or accessible from untrusted networks, as compromised privileged accounts become a vector for full system takeover.
Affected systems
The vulnerability affects DreamMaker as developed by Interinfo. At this time, specific version ranges have not been detailed in available advisories. You should verify the vendor advisory to identify which versions of DreamMaker are vulnerable and whether patches have been released. Check your deployment inventory immediately to determine exposure.
Exploitability
Exploitation requires the attacker to already possess privileged credentials (high privilege requirement). However, the attack itself is straightforward—upload a crafted file and execute it—making the barrier to weaponization low once authentication is obtained. The network-accessible nature and low attack complexity mean that insider threats or compromised administrator accounts pose immediate risk. The vulnerability is not currently tracked on the CISA Known Exploited Vulnerabilities (KEV) catalog.
Remediation
Apply vendor patches as soon as they become available. Until patches are deployed, implement strict controls over file upload functionality: restrict upload locations to non-executable directories, enforce whitelist-based file type validation, disable script execution in upload directories via web server configuration, and audit privileged account activity for suspicious file uploads. Consider temporarily disabling the affected upload feature if business operations permit.
Patch guidance
Contact Interinfo directly or monitor their security advisories for patch availability and version numbers. Verify the specific version of DreamMaker you are running and cross-reference against the vendor's advisory to confirm patch applicability. Test patches in a non-production environment before deployment to ensure compatibility with your configuration and dependent systems.
Detection guidance
Monitor web server logs for unusual file uploads targeting directories typically used by DreamMaker. Look for uploads of files with double extensions (e.g., .php.jpg), uploads followed immediately by HTTP requests to the uploaded file, and any POST requests to upload endpoints from privileged accounts during unusual hours or from anomalous IP ranges. Implement file integrity monitoring on upload directories to detect new executable files. Correlate upload activity with process execution logs to identify shell spawning.
Why prioritize this
While this vulnerability requires privileged access, the ease of exploitation once an attacker has credentials and the complete system compromise it enables warrant urgent attention. Organizations with internet-exposed DreamMaker instances, shared hosting environments, or weak privileged account hygiene should prioritize patching. Even air-gapped deployments should be assessed, as insider threats and supply-chain compromises can introduce privileged attackers.
Risk score, explained
The CVSS 7.2 score reflects the high severity of post-authentication code execution. The HIGH rating appropriately captures the complete compromise potential (full impact to confidentiality, integrity, and availability) despite the elevated privilege requirement. The network-accessible attack vector and low complexity further justify urgency. Organizations should not underestimate this risk; a single compromised privileged account turns this into a critical internal threat.
Frequently asked questions
Does this vulnerability affect all versions of DreamMaker?
The available information does not specify affected versions. You must consult the Interinfo vendor advisory to confirm which versions are vulnerable and whether patches exist for your deployment.
Can this vulnerability be exploited remotely by unauthenticated attackers?
No. The vulnerability explicitly requires privileged remote access (PR:H in the CVSS vector). An attacker must already possess elevated credentials. However, compromised admin accounts, insider threats, or weak authentication mechanisms can lower this barrier in practice.
What is the primary risk if we leave this unpatched?
An attacker with privileged credentials can upload a web shell, execute arbitrary code on your server, and establish persistent backdoor access. This could lead to data exfiltration, malware deployment, lateral network movement, and operational disruption.
Is there active exploitation of this vulnerability in the wild?
As of the last update, this vulnerability is not listed on the CISA KEV catalog, suggesting it is not yet widely exploited in active attacks. However, the absence of public exploitation does not eliminate risk, particularly for internet-exposed instances or organizations with weak access controls.
This analysis is based on information available as of the publication and modification dates provided. Specific version numbers, patch releases, and detailed vendor advisories are not included; consult Interinfo's official security bulletins for authoritative guidance. CVSS score and severity are as published by the source. Exploitation requirements, impacts, and mitigation effectiveness may vary based on configuration and deployment context. This document is for informational purposes and does not constitute legal or compliance advice. Verify all remediation steps in a test environment before production deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25409HIGHSIM-PKH 2.4.1 Arbitrary File Upload Leading to Remote Code Execution
- CVE-2026-30761HIGHSourceBans Material Admin Arbitrary File Upload RCE Vulnerability
- CVE-2026-39292HIGHPHPPageBuilder Remote Code Execution via Unrestricted File Upload
- CVE-2026-10172MEDIUMBdtask Multi-Store Inventory 1.0 Unrestricted File Upload Vulnerability
- CVE-2026-10205MEDIUMUnrestricted File Upload in Metasoft MetaCRM 6.4.0 – Exploit Details & Remediation
- CVE-2026-10806MEDIUMUnrestricted File Upload in mjperpinosa stumasy
- CVE-2026-10807MEDIUMUnrestricted File Upload in mjperpinosa stumasy Profile Image Handler