CVE-2026-10607: DedeCMS 5.7.88 SQL Injection in /plus/flink.php
DedeCMS 5.7.88 contains a SQL injection vulnerability in its friend links management function. An attacker can manipulate the 'msg' parameter in /plus/flink.php to inject malicious SQL commands, allowing unauthorized database access, modification, or deletion. No authentication is required, and the vulnerability can be exploited over the network. Public exploit code exists, elevating the practical risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
A vulnerability was identified in DedeCMS 5.7.88. The impacted element is the function dede_htmlspecialchars of the file /plus/flink.php. The manipulation of the argument msg leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in the dede_htmlspecialchars function within /plus/flink.php of DedeCMS 5.7.88. The function fails to properly sanitize the 'msg' parameter before incorporating it into SQL queries, enabling classic SQL injection attacks. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates remote exploitability without authentication or user interaction. CWE-74 (Improper Neutralization of Special Elements) and CWE-89 (SQL Injection) classify the root causes. The availability of public exploit code represents a material increase in exploitation likelihood.
Business impact
Successful exploitation could allow attackers to read sensitive data from the CMS database, including user credentials, content, and configuration information. Attackers may also modify or delete database records, potentially defacing content or disrupting site availability. For organizations running DedeCMS installations—particularly those exposed to untrusted networks—this vulnerability creates immediate risk of data breach and operational disruption.
Affected systems
DedeCMS version 5.7.88 is directly affected. Organizations should verify whether this version is deployed in their environment, including development, staging, and production instances. DedeCMS is primarily used in Chinese-language content management scenarios; however, any publicly exposed instance is at risk regardless of geographic deployment.
Exploitability
The vulnerability is highly exploitable. Network accessibility (AV:N) with no authentication (PR:N) and no user interaction (UI:N) means an unauthenticated remote attacker can exploit it immediately upon network access to the affected endpoint. The existence of publicly available exploit code substantially lowers the barrier to weaponization. Active scanning and exploitation attempts should be anticipated.
Remediation
Immediate action is required. Organizations must upgrade DedeCMS to a patched version that addresses the SQL injection vulnerability—verify the specific patch version with the vendor advisory. If immediate patching is infeasible, implement network-level controls to restrict access to /plus/flink.php and the broader DedeCMS administrative interface. Web application firewalls (WAF) configured to detect and block SQL injection patterns in the 'msg' parameter may provide temporary mitigation pending patching.
Patch guidance
Contact the DedeCMS development team or consult their official advisory for the specific patched version address this CWE-89 SQL injection. Verify patch availability and test in non-production environments before deployment. Given the ease of exploitation, prioritize patching or decommissioning vulnerable instances within days, not weeks. Document the patch version applied for compliance and audit purposes.
Detection guidance
Monitor web server logs and WAF logs for requests to /plus/flink.php containing SQL metacharacters (e.g., quotes, semicolons, UNION, SELECT) in the 'msg' parameter. Implement database activity monitoring to detect anomalous queries executed from the web application account. Search endpoint detection tools and network traffic inspection systems for payloads characteristic of SQL injection attacks against DedeCMS. Log ingestion and SIEM correlation will help identify exploitation attempts in real time.
Why prioritize this
This vulnerability merits immediate attention due to its HIGH severity score (7.3), unauthenticated remote exploitability, public exploit availability, and direct path to database compromise. The combination of ease of exploitation and high impact makes it a priority target for attackers. Organizations running DedeCMS 5.7.88 should treat this as critical infrastructure risk.
Risk score, explained
The CVSS 3.1 score of 7.3 (HIGH) reflects the vulnerability's network accessibility, lack of authentication requirement, low attack complexity, and impact on confidentiality, integrity, and availability. The vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) indicates an attacker can remotely inject SQL without privileges or user interaction, accessing and modifying database contents. While not rated CVSS 9.0+, the practical risk is amplified by public exploit availability and the inherent sensitivity of CMS data.
Frequently asked questions
Is DedeCMS widely used, and should we care about this vulnerability?
DedeCMS is primarily deployed in Chinese-language web environments and content management scenarios. If your organization runs DedeCMS in production—particularly any internet-facing instance—this vulnerability should be treated as critical regardless of region. Even internal or legacy deployments should be assessed and patched or decommissioned.
What can an attacker do if they exploit this SQL injection?
An unauthenticated attacker can read arbitrary data from the CMS database, including user accounts, posts, and configuration data. They can also modify or delete records, potentially defacing the site, resetting admin accounts, or planting malicious content. In some database configurations, they may achieve remote code execution on the underlying server.
Is a WAF sufficient to protect against this vulnerability?
A WAF can reduce exposure by blocking requests with SQL injection patterns, but it is not a complete solution. WAF rules may be bypassed with encoding or obfuscation techniques. Patching is the only reliable remediation. Use WAF protection as a temporary measure while planning and executing a patch deployment.
How do I confirm if my DedeCMS installation is vulnerable?
Check your installed DedeCMS version; any instance running 5.7.88 is vulnerable. Verify the file /plus/flink.php exists and is accessible. Once you confirm the version, prioritize patching or isolation. Do not attempt to exploit the vulnerability in production systems; instead, coordinate with your vendor or security team on patch availability.
This analysis is provided for informational purposes to help security teams assess and remediate vulnerability risk. SEC.co does not verify exploit functionality or provide weaponized proof-of-concept code. Patch versions and vendor advisories must be independently verified before deployment. Organizations are responsible for their own risk assessments and compliance with applicable security policies and regulations. Testing should only be performed in controlled, authorized environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10110HIGHSQL Injection in code-projects Student Details Management System 1.0
- CVE-2026-10111HIGHSQL Injection in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Login
- CVE-2026-10178HIGHSQL Injection in code-projects Online Music Site 1.0 Admin Panel
- CVE-2026-10184HIGHSQL Injection in SourceCodester Hospitals Patient Records System 1.0
- CVE-2026-10185HIGHSQL Injection in SourceCodester Hospitals Patient Records Management System 1.0
- CVE-2026-10186HIGHSQL Injection in Online Hospital Management System 1.0 – Remote Code Execution Risk
- CVE-2026-10208HIGHSQL Injection in Online Hospital Management System Login
- CVE-2026-10225HIGHSQL Injection in PHP Student Management System Login