HIGH 7.3

CVE-2026-10608: DedeCMS 5.7.88 SQL Injection in carbuyaction.php - Critical Patch Required

DedeCMS version 5.7.88 contains a SQL injection vulnerability in its RemoveXSS function within the /plus/carbuyaction.php file. An attacker can inject malicious SQL commands through the postname or des parameters without authentication, potentially compromising data confidentiality, integrity, and availability. The vulnerability is remotely exploitable and proof-of-concept code has been publicly released.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

A security flaw has been discovered in DedeCMS 5.7.88. This affects the function RemoveXSS of the file /plus/carbuyaction.php. The manipulation of the argument postname/des results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the RemoveXSS function of /plus/carbuyaction.php in DedeCMS 5.7.88, where insufficient input sanitization on the postname and des parameters permits SQL injection. The flaw combines improper input validation (CWE-74) with classic SQL injection techniques (CWE-89). An unauthenticated remote attacker can craft malicious HTTP requests to manipulate SQL queries executed by the application, bypassing authentication controls entirely.

Business impact

Successful exploitation enables attackers to read, modify, or delete database records, potentially exposing sensitive content management data, user credentials, or site configuration details. Depending on database permissions and CMS configuration, attackers could gain administrative control, modify website content, or pivot to other systems sharing database credentials. The public availability of exploit code significantly accelerates attack likelihood.

Affected systems

DedeCMS version 5.7.88 is confirmed vulnerable. Organizations running this version should assume systems are at risk if exposed to network traffic from untrusted sources. Verify your DedeCMS installation version immediately; versions before and after 5.7.88 should be evaluated against vendor advisory documentation to determine if they are affected.

Exploitability

This vulnerability rates as highly exploitable: it requires no authentication, no user interaction, and minimal network complexity. The attack vector is network-based and can be triggered via simple HTTP requests. Public disclosure of exploit code means attackers have a weaponized attack path available, significantly shortening time-to-exploitation for threat actors.

Remediation

Update DedeCMS to a patched version released by the vendor that addresses this SQL injection flaw. If an immediate patch is unavailable, implement network segmentation to restrict access to /plus/carbuyaction.php to trusted internal networks only. Apply Web Application Firewall (WAF) rules to block requests containing SQL metacharacters in the postname and des parameters.

Patch guidance

Contact the DedeCMS vendor or check their official security advisory for the specific patched version addressing CVE-2026-10608. Apply patches immediately upon availability, as public exploits increase attack surface. Test patches in a staging environment before production deployment to ensure compatibility with custom extensions or configurations.

Detection guidance

Monitor web server logs for HTTP POST/GET requests to /plus/carbuyaction.php containing SQL keywords (SELECT, UNION, DROP, INSERT, etc.) in the postname or des parameters. Deploy WAF rules to flag requests with SQL metacharacters ('--', ';', '/*', etc.) in those parameters. Monitor database query logs for suspicious or malformed SQL statements originating from the web application. Network intrusion detection systems should flag connections to the vulnerable endpoint from external sources.

Why prioritize this

HIGH severity (CVSS 7.3) combined with public exploit availability and zero authentication requirements demands immediate attention. This is not a theoretical vulnerability—attack code exists in the wild. Any organization running DedeCMS 5.7.88 should prioritize patching within 24-48 hours, and those unable to patch immediately must implement compensating controls.

Risk score, explained

The CVSS 7.3 score reflects a network-exploitable, unauthenticated attack requiring minimal complexity that impacts all three security pillars: confidentiality (database read access), integrity (content modification), and availability (potential database disruption). The absence of user interaction and the ease of exploitation elevate risk beyond the base score; public exploit availability further increases likelihood of real-world attack.

Frequently asked questions

Is DedeCMS still actively maintained and supported?

Verify the current maintenance status and patch availability directly with the DedeCMS vendor. If the product is no longer receiving security updates, prioritize migration to an actively maintained content management system within your remediation timeline.

Can we safely disable /plus/carbuyaction.php if we do not use that feature?

If the functionality is not required, disabling or removing the file is a valid temporary mitigation. However, verify that no custom plugins or configurations depend on this module. A vendor patch remains the preferred solution to maintain full feature availability.

What database permissions should we limit to reduce impact if SQL injection succeeds?

Apply the principle of least privilege: the web application's database user should have SELECT, INSERT, and UPDATE permissions only on required tables, never DROP or ALTER permissions. Use separate, restricted credentials for administrative functions rather than a single all-powerful account.

How do we check if we've been compromised before patching?

Review database audit logs and web server access logs for suspicious SQL queries or requests to /plus/carbuyaction.php from external IPs. Engage a forensic analysis team if you cannot rule out prior exploitation, especially given the public availability of exploit code.

This analysis is based on publicly available vulnerability data and vendor disclosures current as of the publication date. Version numbers, patch availability, and remediation steps should be verified against official vendor advisories before implementation. SEC.co does not provide legal liability protection; organizations remain responsible for assessing risk within their own environment and determining appropriate remediation timelines. This vulnerability intelligence is provided as-is without warranty; security teams should conduct independent validation and testing prior to deployment of mitigations or patches in production environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).