{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30457", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-28T01:57:48.991Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-26T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-26T18:42:26.701Z"}, "descriptions": [{"lang": "en", "value": "An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to execute arbitrary code via crafted PHP code."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://daylight.com"}, {"url": "http://fuelcms.com"}, {"url": "https://github.com/daylightstudio/FUEL-CMS/tree/master/fuel/modules/fuel/libraries/parser/dwoo"}, {"url": "https://pentest-tools.com/PTT-2025-026-PHP-Code-Execution-Via-Dwoo-Escape.pdf"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-28T01:56:09.234038Z", "id": "CVE-2026-30457", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T01:57:48.991Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30457", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-28T01:56:09.234038Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T01:57:43.322Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://daylight.com"}, {"url": "http://fuelcms.com"}, {"url": "https://github.com/daylightstudio/FUEL-CMS/tree/master/fuel/modules/fuel/libraries/parser/dwoo"}, {"url": "https://pentest-tools.com/PTT-2025-026-PHP-Code-Execution-Via-Dwoo-Escape.pdf"}], "descriptions": [{"lang": "en", "value": "An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to execute arbitrary code via crafted PHP code."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-26T18:42:26.701Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30457", "state": "PUBLISHED", "dateUpdated": "2026-03-28T01:57:48.991Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-26T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:thedaylightstudio:dwoo:1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "198E645D-F606-400B-BCAA-525E32EB8051", "vulnerable": true}, {"criteria": "cpe:2.3:a:thedaylightstudio:fuel_cms:1.5.2:*:*:*:*:*:*:*", "matchCriteriaId": "E3A44312-83D2-4421-9A35-3FD048EA578A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to execute arbitrary code via crafted PHP code."}, {"lang": "es", "value": "Un problema en el componente /parser/dwoo de Daylight Studio FuelCMS v1.5.2 permite a los atacantes ejecutar c\u00f3digo arbitrario a trav\u00e9s de c\u00f3digo PHP especialmente dise\u00f1ado."}], "id": "CVE-2026-30457", "lastModified": "2026-03-30T14:11:06.703", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T19:16:59.900", "references": [{"source": "cve@mitre.org", "tags": ["Not Applicable"], "url": "http://daylight.com"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "http://fuelcms.com"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/daylightstudio/FUEL-CMS/tree/master/fuel/modules/fuel/libraries/parser/dwoo"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "Exploit"], "url": "https://pentest-tools.com/PTT-2025-026-PHP-Code-Execution-Via-Dwoo-Escape.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.5.2"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 98.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "fuel_cms", "vendor": "daylightstudio"}], "analysis": {"en": {"generated_at": "2026-03-28T06:16:23.963292+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest FuelCMS release that includes the patched Dwoo parser.", "If an upgrade cannot be performed immediately, disable or remove the Dwoo parser module from the application configuration to eliminate the attack surface.", "Ensure that no external or unauthenticated content is parsed by the Dwoo engine until a fix is applied.", "Deploy web application firewall rules to block known malicious payload patterns targeting the parser endpoint.", "Stay informed of new advisories from the vendor or security researchers regarding this issue."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary PHP code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in Daylight Studio FuelCMS version 1.5.2. Systems running this version, or any installation that includes the Dwoo parser module without updates, are vulnerable.", "description_and_impact": "An insecure implementation of the Dwoo parser in FuelCMS allows a remote attacker to embed and run arbitrary PHP code. The flaw falls under CWE-94, enabling an attacker to execute code with the privileges of the web application. Successful exploitation yields full control over the host, exposing or modifying sensitive data, and providing a foothold for further attacks. The high CVSS score reflects the severity of this remote code execution capability.", "risk_and_exploitability": "The probability of exploitation is currently predicted to be low, with an EPSS score under 1%. However, the flaw remains highly severe: any exposed instance that accepts crafted parser input can be compromised. The lack of widespread public exploitation to date does not reduce the critical risk posed to affected deployments."}}}}, "created": "2026-03-27T08:36:24.026499+00:00", "title": "Remote PHP Code Execution via Dwoo Parser in FuelCMS", "updated": "2026-03-29T20:28:07.043925+00:00", "vendors": ["daylightstudio", "daylightstudio$PRODUCT$fuel_cms"]}