{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30460", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-07T15:00:54.241Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-07T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-07T15:00:54.241Z"}, "descriptions": [{"lang": "en", "value": "Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability in the Blocks module."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/daylightstudio/FUEL-CMS/"}, {"url": "http://daylight.com"}, {"url": "http://fuelcms.com"}, {"url": "https://pentest-tools.com/PTT-2025-027-Improper-Authorization.pdf"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability in the Blocks module."}], "id": "CVE-2026-30460", "lastModified": "2026-04-08T21:27:00.663", "metrics": {}, "published": "2026-04-07T16:16:23.593", "references": [{"source": "cve@mitre.org", "url": "http://daylight.com"}, {"source": "cve@mitre.org", "url": "http://fuelcms.com"}, {"source": "cve@mitre.org", "url": "https://github.com/daylightstudio/FUEL-CMS/"}, {"source": "cve@mitre.org", "url": "https://pentest-tools.com/PTT-2025-027-Improper-Authorization.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis"}

{}

{"analysis": {"en": {"generated_at": "2026-04-07T23:25:59.356705+00:00", "value": {"mitigation_remediation": ["Apply vendor patch or upgrade to a newer FuelCMS release that fixes the Blocks module.", "If no fix is available, remove or deactivate the Blocks module and restrict user privileges to the minimum required.", "Monitor web application logs for unexpected code uploads or execution attempts and review any unauthorized changes.", "Deploy a web application firewall and enforce strict input validation on all user-supplied content."], "summary": {"action": "Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected software is Daylight Studio FuelCMS release 1.5.2. Any deployment that includes the vulnerable Blocks module and accepts authenticated usage is at risk. No other product or version information is provided.", "description_and_impact": "The vulnerability exists in the Blocks module of Daylight Studio FuelCMS v1.5.2 and allows an authenticated user to execute arbitrary code on the host server. The impact is total loss of confidentiality, integrity, and availability of the application and potentially the underlying operating system. The described weakness corresponds to the ability to run malicious code with the privileges of the application process.", "risk_and_exploitability": "The CVSS base score is not published, but the significance is high because the flaw requires authentication and permits remote code execution. EPSS data are not available, and the vulnerability is not listed in the KEV catalog. Since the attack vector is not defined in the report, it is inferred that exploitation would occur via the application\u2019s web interface after a user logs in. The likelihood of exploitation remains uncertain without EPSS, yet the severe impact warrants immediate attention."}}}}, "created": "2026-04-08T19:50:15.984733+00:00", "title": "Authenticated Remote Code Execution via Blocks Module in FuelCMS v1.5.2", "updated": "2026-04-08T19:50:15.984772+00:00", "vendors": [], "weaknesses": ["CWE-94", "CWE-78"]}