CVE-2026-10581: DedeCMS 5.7.88 SSRF Vulnerability in Download Function
DedeCMS 5.7.88 contains a server-side request forgery (SSRF) vulnerability in its download functionality. An authenticated attacker can manipulate the Link parameter passed to the base64_decode function in /plus/download.php to cause the server to make unintended requests to internal or external systems. This allows an attacker with login credentials to potentially access restricted resources, exfiltrate data, or pivot to other systems on the network.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-918
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
A flaw has been found in DedeCMS 5.7.88. Affected by this vulnerability is the function base64_decode of the file /plus/download.php?open=1. This manipulation of the argument Link causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been published and may be used.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in DedeCMS 5.7.88 where the download.php endpoint with the open=1 parameter insufficiently validates the Link argument before passing it to base64_decode operations. The flaw falls under CWE-918 (Server-Side Request Forgery), enabling an authenticated user to construct malicious input that causes the server to initiate HTTP requests to unintended destinations. The attack does not require user interaction and operates within the authenticated session context. Public exploit code is available, increasing the practical risk of exploitation.
Business impact
Organizations running DedeCMS 5.7.88 face exposure of internal network topology, access to backend services, and potential data exfiltration through SSRF chains. An authenticated user—whether internal staff with compromised credentials or a malicious insider—can bypass network segmentation, access metadata services (e.g., cloud instance metadata APIs), or trigger unwanted outbound connections that could facilitate lateral movement. The medium CVSS score reflects the authentication requirement, but the availability of public exploits accelerates attack timeline.
Affected systems
DedeCMS 5.7.88 is the confirmed affected version. Organizations should verify whether they operate this CMS release in production or development environments. Earlier and later versions should be evaluated against vendor security advisories to determine the full scope of impact.
Exploitability
Exploitation requires valid authentication credentials to access the CMS. However, because public exploits are documented and the vulnerability is trivial to chain once inside an authenticated session, the bar for exploitation is low. Insider threats, credential compromise, or brute-force attacks against weak admin panels significantly increase practical risk. The attack surface is the /plus/download.php endpoint with open=1 parameter, which may or may not be restricted by network controls depending on deployment architecture.
Remediation
Apply security updates from the DedeCMS vendor that address SSRF validation in the download module—verify the specific patched version against the official DedeCMS security advisory. As an interim control, restrict network access to /plus/download.php to trusted IP ranges only. Implement input validation and URL allowlisting on the Link parameter to ensure only legitimate internal destinations can be requested. Review and strengthen authentication mechanisms to reduce credential compromise risk.
Patch guidance
Check the DedeCMS official website and security advisories for patched versions released after 5.7.88. Apply patches in a test environment first to validate compatibility with custom modules or extensions. If patches are not yet available, prioritize deploying the interim controls outlined in remediation_summary while monitoring for vendor updates. Document the version and patch date for audit and compliance purposes.
Detection guidance
Monitor /plus/download.php access logs for unusual patterns: authentication events followed by requests with suspicious or base64-encoded Link parameters, requests to internal IP ranges (10.x.x.x, 172.16–31.x.x, 192.168.x.x), or requests to cloud metadata endpoints (169.254.169.254, etc.). Enable web application firewall rules to flag attempts to access localhost, private networks, or unusual external domains through the download function. Log and alert on failed and successful base64_decode operations in the download module context.
Why prioritize this
Although the CVSS score is MEDIUM (6.3), prioritization should be elevated for organizations where DedeCMS 5.7.88 is internet-facing or accessed by multiple staff members. The authentication requirement reduces surface area, but public exploit availability and the SSRF nature of the flaw (enabling lateral movement and data exfiltration) make this a meaningful insider and credential-compromise risk. Patch within 30 days if feasible, sooner if the CMS is externally exposed.
Risk score, explained
CVSS 3.1 score of 6.3 (MEDIUM) reflects: Network attack vector (AV:N), low attack complexity (AC:L), and low privilege requirement (PR:L—authentication needed). The impact is limited to confidentiality, integrity, and availability of the attacked resource (S:U—scope unchanged), not the broader system. The score does not account for exploit availability or ease of chaining; contextualize this as a foundation upon which organizational risk modeling should layer business criticality, network exposure, and credential hygiene.
Frequently asked questions
Can this vulnerability be exploited without logging in?
No. The vulnerability requires valid authentication (PR:L in the CVSS vector). However, if credentials are compromised through phishing, weak passwords, or insider access, exploitation becomes trivial. Organizations should evaluate their authentication posture and user awareness as part of overall risk mitigation.
What internal systems are at greatest risk?
Internal services accessible from the DedeCMS server—such as databases, caches, APIs, metadata endpoints, and administrative panels—are targets. Cloud deployments are particularly at risk if the CMS instance can reach instance metadata services. Network segmentation and firewall rules limiting outbound connections from the CMS server significantly reduce this exposure.
Is there a public exploit available?
Yes, the vulnerability description notes that exploit code has been published. This means the community and threat actors can more easily craft attacks. Prioritize patching and detection accordingly.
How does this differ from a typical SQL injection or file upload vulnerability?
Unlike direct data exfiltration flaws, SSRF is an indirect attack: the attacker abuses the server's legitimate outbound connections to reach restricted resources. This makes it harder to detect and often enables chaining with other vulnerabilities (e.g., accessing an internal admin panel, or querying AWS metadata). Detection requires monitoring outbound traffic patterns and request logs, not just input validation.
This analysis is based on the published vulnerability record as of June 2026. Verify all patch versions, vendor advisories, and affected product lists directly with DedeCMS maintainers and your internal deployment records. Security recommendations should be adapted to your network architecture, compliance requirements, and risk tolerance. No warranty is provided; this content is for informational purposes only. Always test patches in non-production environments before deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10052MEDIUMQuay SSRF in LDAP/SMTP Validation—Internal Network Reconnaissance Risk
- CVE-2026-10177MEDIUMSSRF in Aider-AI Aider 0.86.3 AWS Metadata Endpoint
- CVE-2026-10239MEDIUMJeecgBoot Server-Side Request Forgery (SSRF) in Word Editing Module
- CVE-2026-10240MEDIUMJeecgBoot SSRF Vulnerability in /airag/airagModel/test Endpoint
- CVE-2026-10241MEDIUMJimuReport SSRF in File Download Function – Patch to 3.9.2
- CVE-2026-10274MEDIUMServer-Side Request Forgery in aem-mcp-server
- CVE-2026-10276MEDIUMJenkins-server-mcp SSRF Vulnerability (0.1.0)
- CVE-2026-10517MEDIUMClair SSRF Vulnerability – Unfiltered HTTP Requests Leak Metadata