CVE-2026-10606: DedeCMS 5.7.88 SQL Injection in Feedback Handler
DedeCMS version 5.7.88 contains a SQL injection vulnerability in its feedback handling system. An attacker can manipulate user input passed to the TrimMsg function in the feedback component to inject malicious SQL commands. Since no authentication is required and the attack can be performed over the network, this vulnerability poses a significant risk to any organization running the affected version. The vulnerability has already been disclosed publicly, increasing the likelihood of active exploitation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
A vulnerability was determined in DedeCMS 5.7.88. The affected element is the function TrimMsg of the file /plus/feedback.php of the component Feedback Handler. Executing a manipulation of the argument msg can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10606 is a SQL injection vulnerability in DedeCMS 5.7.88 affecting the TrimMsg function within /plus/feedback.php. The vulnerability stems from improper input validation on the msg parameter, allowing an attacker to break out of the intended SQL context and execute arbitrary database queries. The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output) and CWE-89 (SQL Injection), indicating both the root cause and the resultant attack vector. With a CVSS 3.1 score of 7.3 and a network-accessible attack surface requiring no privileges or user interaction, the vulnerability is readily exploitable.
Business impact
A successful SQL injection attack via this vulnerability could allow an attacker to read, modify, or delete database records, potentially compromising sensitive customer data, user credentials, and system integrity. For organizations using DedeCMS as their content management platform, this could result in unauthorized data disclosure, defacement, or loss of service availability. The public disclosure of this vulnerability increases the window of exposure and the likelihood of opportunistic attacks targeting unpatched instances.
Affected systems
DedeCMS version 5.7.88 is explicitly affected. Organizations running this version—particularly those with publicly accessible feedback forms—face direct risk. Other versions of DedeCMS may be vulnerable depending on their codebase; however, only version 5.7.88 is confirmed in this advisory. Verify your deployment version and consult DedeCMS security advisories for information on other potentially affected releases.
Exploitability
This vulnerability is highly exploitable. The attack requires no authentication, no special privileges, and no user interaction—an attacker need only craft a malicious request to the feedback endpoint with a specially crafted msg parameter. The public disclosure means that proof-of-concept code or attack patterns may be widely available. The combination of network accessibility, low attack complexity, and no prerequisites makes this a high-priority target for automated scanning and exploitation campaigns.
Remediation
Immediate patching is the primary remediation. Contact the DedeCMS vendor to obtain and deploy the latest security patch for version 5.7.88 or upgrade to a newer, patched release. In the interim, implement network-level access controls to restrict who can reach the /plus/feedback.php endpoint, disable the feedback functionality if not essential, or apply Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the msg parameter. Input validation and parameterized query review should be part of any security hardening effort.
Patch guidance
Check the DedeCMS project repository and official security advisories for available patches. Apply the latest security update for your DedeCMS installation. After patching, validate that the feedback functionality operates normally and that your application logs show no anomalies. Consider testing patches in a non-production environment before deploying to production systems. If upgrading to a new major version, review compatibility with any custom modules or extensions.
Detection guidance
Monitor access logs for unusual patterns targeting /plus/feedback.php, particularly requests with encoded or obfuscated payloads in the msg parameter. Web Application Firewall signatures for SQL injection (e.g., SQL keywords like UNION, SELECT, DROP in parameter values) should be deployed and tuned. Intrusion detection systems can flag requests containing common SQL injection syntax. Database query logs should be reviewed for unexpected queries originating from the web application. Consider implementing alerting for failed SQL parsing or database errors logged in conjunction with feedback submissions.
Why prioritize this
This vulnerability warrants high-priority remediation due to the combination of high CVSS score (7.3), public disclosure increasing exploit availability, network-accessible attack surface, and no authentication requirement. The data confidentiality, integrity, and availability impacts are all present (per the CVSS vector), and SQL injection vulnerabilities are among the most commonly exploited weaknesses in web applications. Any DedeCMS 5.7.88 instance with internet-facing feedback forms is an immediate target.
Risk score, explained
The CVSS 3.1 score of 7.3 (HIGH) reflects a network-accessible SQL injection with no authentication barriers and significant impact across confidentiality, integrity, and availability. The complete CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L indicates network-based attack, low complexity, no privileges or user interaction needed, and localized (not cross-boundary) scope with partial impacts on all three security properties. The public disclosure status and lack of KEV status do not lower the intrinsic risk but do increase the practical exploitation timeline.
Frequently asked questions
Is my DedeCMS installation vulnerable if I'm not using the feedback feature?
DedeCMS 5.7.88 itself is vulnerable if installed, even if you have disabled or hidden the feedback feature. An attacker can still attempt to directly access /plus/feedback.php. However, organizations that have completely removed or disabled the feedback module mitigate the immediate risk. Confirm whether the file /plus/feedback.php is present and accessible in your deployment.
What data is at risk if this vulnerability is exploited?
An attacker who successfully exploits this SQL injection can potentially access any data stored in your DedeCMS database, including user accounts, authentication credentials, site content, and any custom data your organization has stored. The scope of exposure depends on the database permissions assigned to the DedeCMS application user and the sensitivity of data you store.
Is there a workaround if I cannot patch immediately?
While patching is the definitive fix, temporary mitigations include: restricting network access to the /plus/feedback.php endpoint via firewall rules or Web Application Firewall policies, disabling the feedback form at the application level, or applying input validation rules that reject requests containing SQL syntax. These are temporary measures and should be replaced with an official patch as soon as possible.
How can I tell if my system has been compromised by this vulnerability?
Review web server access logs for requests to /plus/feedback.php containing suspicious characters or SQL keywords in the msg parameter. Check database query logs and error logs for unusual SQL statements or parsing errors. Monitor user accounts for unauthorized access or privilege escalation. If you have security information and event management (SIEM) tools, create alerts for SQL injection signatures targeting the feedback endpoint.
This analysis is provided for informational purposes based on publicly available CVE data and vendor advisories. The information herein does not constitute security guarantees or legal advice. Organizations should verify all affected product versions, patch availability, and compatibility against their specific DedeCMS deployments and the official DedeCMS security advisories. Testing of patches and mitigations in non-production environments is strongly recommended before production deployment. This vulnerability assessment does not include weaponized exploit code or step-by-step attack instructions. For the most current information, consult the DedeCMS project security resources and the official CVE record. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10110HIGHSQL Injection in code-projects Student Details Management System 1.0
- CVE-2026-10111HIGHSQL Injection in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Login
- CVE-2026-10178HIGHSQL Injection in code-projects Online Music Site 1.0 Admin Panel
- CVE-2026-10184HIGHSQL Injection in SourceCodester Hospitals Patient Records System 1.0
- CVE-2026-10185HIGHSQL Injection in SourceCodester Hospitals Patient Records Management System 1.0
- CVE-2026-10186HIGHSQL Injection in Online Hospital Management System 1.0 – Remote Code Execution Risk
- CVE-2026-10208HIGHSQL Injection in Online Hospital Management System Login
- CVE-2026-10225HIGHSQL Injection in PHP Student Management System Login