HIGH 7.3

CVE-2026-10607: DedeCMS 5.7.88 SQL Injection in /plus/flink.php

DedeCMS 5.7.88 contains a SQL injection vulnerability in its friend links management function. An attacker can manipulate the 'msg' parameter in /plus/flink.php to inject malicious SQL commands, allowing unauthorized database access, modification, or deletion. No authentication is required, and the vulnerability can be exploited over the network. Public exploit code exists, elevating the practical risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

A vulnerability was identified in DedeCMS 5.7.88. The impacted element is the function dede_htmlspecialchars of the file /plus/flink.php. The manipulation of the argument msg leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in the dede_htmlspecialchars function within /plus/flink.php of DedeCMS 5.7.88. The function fails to properly sanitize the 'msg' parameter before incorporating it into SQL queries, enabling classic SQL injection attacks. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates remote exploitability without authentication or user interaction. CWE-74 (Improper Neutralization of Special Elements) and CWE-89 (SQL Injection) classify the root causes. The availability of public exploit code represents a material increase in exploitation likelihood.

Business impact

Successful exploitation could allow attackers to read sensitive data from the CMS database, including user credentials, content, and configuration information. Attackers may also modify or delete database records, potentially defacing content or disrupting site availability. For organizations running DedeCMS installations—particularly those exposed to untrusted networks—this vulnerability creates immediate risk of data breach and operational disruption.

Affected systems

DedeCMS version 5.7.88 is directly affected. Organizations should verify whether this version is deployed in their environment, including development, staging, and production instances. DedeCMS is primarily used in Chinese-language content management scenarios; however, any publicly exposed instance is at risk regardless of geographic deployment.

Exploitability

The vulnerability is highly exploitable. Network accessibility (AV:N) with no authentication (PR:N) and no user interaction (UI:N) means an unauthenticated remote attacker can exploit it immediately upon network access to the affected endpoint. The existence of publicly available exploit code substantially lowers the barrier to weaponization. Active scanning and exploitation attempts should be anticipated.

Remediation

Immediate action is required. Organizations must upgrade DedeCMS to a patched version that addresses the SQL injection vulnerability—verify the specific patch version with the vendor advisory. If immediate patching is infeasible, implement network-level controls to restrict access to /plus/flink.php and the broader DedeCMS administrative interface. Web application firewalls (WAF) configured to detect and block SQL injection patterns in the 'msg' parameter may provide temporary mitigation pending patching.

Patch guidance

Contact the DedeCMS development team or consult their official advisory for the specific patched version address this CWE-89 SQL injection. Verify patch availability and test in non-production environments before deployment. Given the ease of exploitation, prioritize patching or decommissioning vulnerable instances within days, not weeks. Document the patch version applied for compliance and audit purposes.

Detection guidance

Monitor web server logs and WAF logs for requests to /plus/flink.php containing SQL metacharacters (e.g., quotes, semicolons, UNION, SELECT) in the 'msg' parameter. Implement database activity monitoring to detect anomalous queries executed from the web application account. Search endpoint detection tools and network traffic inspection systems for payloads characteristic of SQL injection attacks against DedeCMS. Log ingestion and SIEM correlation will help identify exploitation attempts in real time.

Why prioritize this

This vulnerability merits immediate attention due to its HIGH severity score (7.3), unauthenticated remote exploitability, public exploit availability, and direct path to database compromise. The combination of ease of exploitation and high impact makes it a priority target for attackers. Organizations running DedeCMS 5.7.88 should treat this as critical infrastructure risk.

Risk score, explained

The CVSS 3.1 score of 7.3 (HIGH) reflects the vulnerability's network accessibility, lack of authentication requirement, low attack complexity, and impact on confidentiality, integrity, and availability. The vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) indicates an attacker can remotely inject SQL without privileges or user interaction, accessing and modifying database contents. While not rated CVSS 9.0+, the practical risk is amplified by public exploit availability and the inherent sensitivity of CMS data.

Frequently asked questions

Is DedeCMS widely used, and should we care about this vulnerability?

DedeCMS is primarily deployed in Chinese-language web environments and content management scenarios. If your organization runs DedeCMS in production—particularly any internet-facing instance—this vulnerability should be treated as critical regardless of region. Even internal or legacy deployments should be assessed and patched or decommissioned.

What can an attacker do if they exploit this SQL injection?

An unauthenticated attacker can read arbitrary data from the CMS database, including user accounts, posts, and configuration data. They can also modify or delete records, potentially defacing the site, resetting admin accounts, or planting malicious content. In some database configurations, they may achieve remote code execution on the underlying server.

Is a WAF sufficient to protect against this vulnerability?

A WAF can reduce exposure by blocking requests with SQL injection patterns, but it is not a complete solution. WAF rules may be bypassed with encoding or obfuscation techniques. Patching is the only reliable remediation. Use WAF protection as a temporary measure while planning and executing a patch deployment.

How do I confirm if my DedeCMS installation is vulnerable?

Check your installed DedeCMS version; any instance running 5.7.88 is vulnerable. Verify the file /plus/flink.php exists and is accessible. Once you confirm the version, prioritize patching or isolation. Do not attempt to exploit the vulnerability in production systems; instead, coordinate with your vendor or security team on patch availability.

This analysis is provided for informational purposes to help security teams assess and remediate vulnerability risk. SEC.co does not verify exploit functionality or provide weaponized proof-of-concept code. Patch versions and vendor advisories must be independently verified before deployment. Organizations are responsible for their own risk assessments and compliance with applicable security policies and regulations. Testing should only be performed in controlled, authorized environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).