{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24729", "assignerOrgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88", "state": "PUBLISHED", "assignerShortName": "ZUSO ART", "dateReserved": "2026-01-26T07:42:53.160Z", "datePublished": "2026-01-30T03:50:31.763Z", "dateUpdated": "2026-01-30T18:06:51.293Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "DreamMaker", "vendor": "Internet Information Co., Ltd", "versions": [{"lessThan": "2025/10/22", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2026-01-30T03:48:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An unrestricted upload of file with dangerous type vulnerability in the file upload function of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to execute arbitrary system commands via a malicious class file."}], "value": "An unrestricted upload of file with dangerous type vulnerability in the file upload function of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to execute arbitrary system commands via a malicious class file."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 10, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88", "shortName": "ZUSO ART", "dateUpdated": "2026-01-30T03:50:31.763Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://zuso.ai/advisory/za-2026-02"}], "source": {"discovery": "UNKNOWN"}, "title": "Interinfo DreamMaker - Unrestricted Upload of File with Dangerous Type", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-30T18:06:21.909823Z", "id": "CVE-2026-24729", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-30T18:06:51.293Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24729", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-30T18:06:21.909823Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-30T18:06:47.126Z"}}], "cna": {"title": "Interinfo DreamMaker - Unrestricted Upload of File with Dangerous Type", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Internet Information Co., Ltd", "product": "DreamMaker", "versions": [{"status": "affected", "version": "0", "lessThan": "2025/10/22", "versionType": "custom"}], "defaultStatus": "unknown"}], "datePublic": "2026-01-30T03:48:00.000Z", "references": [{"url": "https://zuso.ai/advisory/za-2026-02", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "An unrestricted upload of file with dangerous type vulnerability in the file upload function of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to execute arbitrary system commands via a malicious class file.", "supportingMedia": [{"type": "text/html", "value": "An unrestricted upload of file with dangerous type vulnerability in the file upload function of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to execute arbitrary system commands via a malicious class file.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88", "shortName": "ZUSO ART", "dateUpdated": "2026-01-30T03:50:31.763Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24729", "state": "PUBLISHED", "dateUpdated": "2026-01-30T18:06:51.293Z", "dateReserved": "2026-01-26T07:42:53.160Z", "assignerOrgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88", "datePublished": "2026-01-30T03:50:31.763Z", "assignerShortName": "ZUSO ART"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An unrestricted upload of file with dangerous type vulnerability in the file upload function of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to execute arbitrary system commands via a malicious class file."}, {"lang": "es", "value": "Una vulnerabilidad de carga irrestricta de archivos de tipo peligroso en la funci\u00f3n de carga de archivos de las versiones de Interinfo DreamMaker anteriores al 22/10/2025 permite a atacantes remotos ejecutar comandos de sistema arbitrarios a trav\u00e9s de un archivo de clase malicioso."}], "id": "CVE-2026-24729", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ART@zuso.ai", "type": "Secondary"}]}, "published": "2026-01-30T05:16:33.490", "references": [{"source": "ART@zuso.ai", "url": "https://zuso.ai/advisory/za-2026-02"}], "sourceIdentifier": "ART@zuso.ai", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "ART@zuso.ai", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:14:26.103333+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011supplied patch or upgrade DreamMaker to a version released on or after October 22, 2025.", "Configure the web application to reject all non\u2011essential file types and enforce a strict whitelist of allowed extensions for uploads.", "Implement server\u2011side validation to confirm that uploaded files match expected signatures or MIME types before processing."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Internet Information Co., Ltd. DreamMaker versions released prior to October 22, 2025 are affected by this flaw. No specific build numbers are listed, so all instances before that date fall within the impacted scope.", "description_and_impact": "An attacker can upload a file of a dangerous type to the file upload function of Interinfo DreamMaker. The file is treated as a legitimate class file and executed by the system, allowing the attacker to run arbitrary system commands. The weakness is identified as CWE\u2011434, which indicates a failure to restrict the type and usage of uploaded data.", "risk_and_exploitability": "The flaw carries a CVSS score of 10, marking it as critical. The EPSS score is less than 1%, suggesting that, while the vulnerability is severe, its exploitation probability is relatively low at present. It has not been added to the CISA KEV catalog. Attackers can exploit the vulnerability remotely by simply uploading a crafted file; no special configuration or local privilege is required. Because the flaw permits arbitrary command execution, its exploit would provide full control over the affected system, with potential breach of confidentiality, integrity, and availability."}}}}, "created": "2026-01-30T08:42:16.775260+00:00", "updated": "2026-04-18T01:15:05.997016+00:00", "vendors": ["interinfo", "interinfo$PRODUCT$dreammaker"]}