CVE-2026-5333

HIGH

DefaultFuction Content-Management-System tools.php command injection

Title source: cna

Description

A security flaw has been discovered in DefaultFuction Content-Management-System 1.0. This issue affects some unknown processing of the file /admin/tools.php. The manipulation of the argument host results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.

References (6)

[Vdb Entry, Technical Description] https://vuldb.com/vuln/354667

[Signature, Permissions Required] https://vuldb.com/vuln/354667/cti

[Third Party Advisory] https://vuldb.com/submit/780849

[Issue Tracking] https://github.com/DefaultFuction/Content-Management-System/issues/1

[Exploit] https://github.com/DefaultFuction/Content-Management-System/issues/1#issue-4082558620

[Product] https://github.com/DefaultFuction/Content-Management-System/

Scores

CVSS v3 7.3

EPSS 0.0026

EPSS Percentile 49.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-74 CWE-77

Status published

Products (2)

DefaultFuction/Content-Management-System 1.0

defaultfuction/content_management_system 1.0

Published Apr 02, 2026

Tracked Since Apr 02, 2026