Home / Vulnerability Intelligence / CVE-2026-30461

CVE-2026-30461 - Vulnerability Analysis

HighCVSS: 8.3

Last Updated: April 16, 2026

Daylight Studio FuelCMS - Remote Code Execution

Published: April 15, 2026Updated: April 16, 2026Remote Exploitable

Overview

Daylight Studio FuelCMS v1.5.2 contains an authenticated remote code execution caused by improper handling in /controllers/Installer.php function add_git_submodule, letting authenticated attackers execute arbitrary code remotely.

Severity & Score

Severity: High

CVSS Score: 8.3

EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Authenticated attackers can execute arbitrary code remotely, potentially leading to full system compromise.

Mitigation

Update to the latest version of FuelCMS.

References

Social Media Activity(1 post)

pentest-tools.com

@pentesttools

Apr 9, 2026

"It's just dev mode." PTT-2025-028 / CVE-2026-30461 disagrees. Any authenticated user on a FuelCMS dev instance can drop a PHP shell via git submodule and call it from the browser. One HTTP request. Full RCE. CVSS 8.8 High. No patch coming. Project's been dormant for almost 4 years. Found by Raul Bledea and Matei "Mal" Bădănoiu. Full PoC: https://pentest-tools.com/research #offensivesecurity #vulnerabilityresearch

View original post

Related Resources

Details

CVE ID: CVE-2026-30461
Severity: High
CVSS Score: 8.3
Type: remote_code_execution
Status: new
EPSS: 0.0%
Social Posts: 1

CWE

CWE-77

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

EPSS Score

0.0%Probability of exploitation in the next 30 days