{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30461", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-16T14:02:08.595Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-15T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-15T15:37:12.754Z"}, "descriptions": [{"lang": "en", "value": "Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://daylight.com"}, {"url": "http://fuelcms.com"}, {"url": "https://github.com/daylightstudio/FUEL-CMS/blob/master/fuel/modules/fuel/controllers/Installer.php"}, {"url": "https://pentest-tools.com/PTT-2025-028-Authenticated-RCE-via-Git-Submodules.pdf"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T14:01:28.990290Z", "id": "CVE-2026-30461", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T14:02:08.595Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30461", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-16T14:01:28.990290Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T14:02:01.709Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://daylight.com"}, {"url": "http://fuelcms.com"}, {"url": "https://github.com/daylightstudio/FUEL-CMS/blob/master/fuel/modules/fuel/controllers/Installer.php"}, {"url": "https://pentest-tools.com/PTT-2025-028-Authenticated-RCE-via-Git-Submodules.pdf"}], "descriptions": [{"lang": "en", "value": "Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-15T15:37:12.754Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30461", "state": "PUBLISHED", "dateUpdated": "2026-04-16T14:02:08.595Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-15T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:thedaylightstudio:fuel_cms:1.5.2:*:*:*:*:*:*:*", "matchCriteriaId": "E3A44312-83D2-4421-9A35-3FD048EA578A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule."}], "id": "CVE-2026-30461", "lastModified": "2026-04-20T20:16:44.150", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-15T16:16:36.050", "references": [{"source": "cve@mitre.org", "tags": ["Not Applicable"], "url": "http://daylight.com"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "http://fuelcms.com"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/daylightstudio/FUEL-CMS/blob/master/fuel/modules/fuel/controllers/Installer.php"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://pentest-tools.com/PTT-2025-028-Authenticated-RCE-via-Git-Submodules.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.5.2"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 98.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "fuel_cms", "vendor": "daylightstudio"}], "analysis": {"en": {"generated_at": "2026-04-17T10:56:04.455332+00:00", "value": {"mitigation_remediation": ["Restrict all access to the /controllers/Installer.php endpoint so that only trusted administrators can reach it, or remove that route entirely.", "Remove or disable the add_git_submodule function from the application code base, ensuring no other entry points allow similar code execution.", "Check the vendor\u2019s website or repository for an updated FuelCMS release that addresses this flaw, and upgrade the installation to a patched version if available."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The only affected product documented in the CVE entry is Daylight Studio FuelCMS version\u202f1.5.2; no additional vendor or product variations are listed.", "description_and_impact": "Daylight Studio FuelCMS version\u202f1.5.2 contains an authenticated remote code execution flaw in the Installer controller\u2019s add_git_submodule function. Because the function uses user input to drive git commands, an attacker who authenticates to the application can trigger arbitrary code execution on the host. The vulnerability aligns with automated code execution weaknesses such as CWE\u201177 command injection, where malicious input controls system commands.", "risk_and_exploitability": "The flaw requires valid credentials for exploitation, meaning an attacker must first authenticate to the application. Once authenticated, the exploit can be performed by sending a crafted request to the /controllers/Installer.php endpoint that calls add_git_submodule. The CVSS score of 8.3 marks it as a high\u2011severity remote code execution vulnerability, while the EPSS score of less than 1% indicates a very low likelihood of exploitation. It is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog, so no immediate public exploitation evidence exists."}}}}, "created": "2026-04-15T19:30:12.404907+00:00", "title": "Authenticated Remote Code Execution in FuelCMS via Git Submodule Function", "updated": "2026-04-17T11:00:13.714814+00:00", "vendors": ["daylightstudio", "daylightstudio$PRODUCT$fuel_cms"]}