CVE-2026-10581

Published Jun 2, 2026 · today

A flaw has been found in DedeCMS 5.7.88. Affected by this vulnerability is the function base64_decode of the file /plus/download.php?open=1. This manipulation of the argument Link causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been published and may be used.

Weaknesses

CWE-918

CVSS scores

v4.02.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
v3.16.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
v2.06.5AV:N/AC:L/Au:S/C:P/I:P/A:P

References

Potentially impacted assets

See if this affects your attack surface

Test your asset

Latest trending attack

High4d ago

SQL injection in Roundcube

Roundcube is an open-source webmail application that allows users to access and manage email through a web browser. CVE-2026-48842 is a pre-authentication SQL injection vulnerability affecting Roundcube Webmail versions before 1.6.16 and 1.7.1. The flaw exists in the virtuser_query plugin and can be exploited remotely without authentication through a preg_replace() backslash escape bypass, potentially allowing attackers to manipulate database queries and compromise sensitive information.

CVE-2026-10581

Weaknesses

CVSS scores

References

Potentially impacted assets

Latest trending attack

SQL injection in Roundcube

Our latest news

Typosquatting: When Your Brand Becomes the Entry Point for Cyberattacks

CISO Challenges 2026: Fewer Attacks, Greater Impact

What Makes an Asset Hackable? The 4 Pillars Attackers Evaluate

Take 15 minutes to discover our platform with our experts