EUVD-2026-36794

🗓️ 15 Jun 2026 21:30:40Reported by EUVDType

Discuz! X5.0 releases 20260320 through 20260610 contain a local file inclusion vulnerability that allows authenticated administrators to execute arbitrary code by importing a specially crafted plugin configuration containing path traversal sequenc...

Reporter	Title	Published	Views	Family All 5
Circl	CVE-2026-49954	15 Jun 202620:42	–	circl
CVE	CVE-2026-49954	15 Jun 202618:50	–	cve
Cvelist	CVE-2026-49954 Discuz! X5.0 Local File Inclusion via enable_disable.php Plugin Directory	15 Jun 202618:50	–	cvelist
NVD	CVE-2026-49954	15 Jun 202620:16	–	nvd
Positive Technologies	PT-2026-49309	15 Jun 202600:00	–	ptsecurity

[
  {
    "enisaIdVendor": [
      {
        "id": "70ef56ae-f996-3c26-aeb9-01ed46cc101a",
        "vendor": {
          "name": "Discuz!"
        }
      }
    ],
    "enisaIdProduct": [
      {
        "id": "fc7d9306-22f5-3c32-ac82-01411f1a0065",
        "product": {
          "name": "Discuz! X5.0",
          "vendor": {
            "name": "Discuz!"
          }
        },
        "product_version": "20260320 ≤20260610"
      }
    ]
  }
]

Source	Link
karmainsecurity	www.karmainsecurity.com/KIS-2026-11
karmainsecurity	www.karmainsecurity.com/chaining-bugs-in-discuz-from-race-condition-to-rce
vulncheck	www.vulncheck.com/advisories/discuz-x5-0-local-file-inclusion-via-enable-disable-php-plugin-directory
nvd	www.nvd.nist.gov/vuln/detail/CVE-2026-49954

15 Jun 2026 21:30Current

6.3Medium risk

Vulners AI Score6.3

CVSS 48.6

CVSS 3.17.2