CVE-2026-49954

HIGH 7.2

Discuz! X5.0 Local File Inclusion via enable_disable.php Plugin Directory

CVSS Score

7.2

EPSS Score

0.0%

EPSS Percentile

0th

Discuz! X5.0 releases 20260320 through 20260610 contain a local file inclusion vulnerability that allows authenticated administrators to execute arbitrary code by importing a specially crafted plugin configuration containing path traversal sequences in the directory attribute. Attackers can trigger an exception during plugin installation to bypass sanitization routines, causing malicious paths to be stored unsanitized and subsequently passed to include(), which combined with file upload functionality escalates to arbitrary code execution in the context of the web server user.

CWE	CWE-98
Vendor	discuz!
Product	discuz! x5.0
Published	Jun 15, 2026
Last Updated	Jun 15, 2026

Stay Ahead of the Next One

Get instant alerts for discuz! discuz! x5.0

Be the first to know when new high vulnerabilities affecting discuz! discuz! x5.0 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Discuz! / Discuz! X5.0

20260320 ≤ 20260610

References

NVD ↗ CVE.org ↗ EPSS Data ↗

karmainsecurity.com: https://karmainsecurity.com/KIS-2026-11 karmainsecurity.com: https://karmainsecurity.com/chaining-bugs-in-discuz-from-race-condition-to-rce vulncheck.com: https://www.vulncheck.com/advisories/discuz-x5-0-local-file-inclusion-via-enable-disable-php-plugin-directory

Credits

Egidio Romano