{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5333", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-01T14:01:58.729Z", "datePublished": "2026-04-02T13:30:14.585Z", "dateUpdated": "2026-04-02T13:54:13.691Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-02T13:30:14.585Z"}, "title": "DefaultFuction Content-Management-System tools.php command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "DefaultFuction", "product": "Content-Management-System", "versions": [{"version": "1.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in DefaultFuction Content-Management-System 1.0. This issue affects some unknown processing of the file /admin/tools.php. The manipulation of the argument host results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-01T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-01T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-01T16:07:03.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Practice (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/354667", "name": "VDB-354667 | DefaultFuction Content-Management-System tools.php command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354667/cti", "name": "VDB-354667 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780849", "name": "Submit #780849 | DefaultFuction CMS V1.0.0 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/DefaultFuction/Content-Management-System/issues/1", "tags": ["issue-tracking"]}, {"url": "https://github.com/DefaultFuction/Content-Management-System/issues/1#issue-4082558620", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/DefaultFuction/Content-Management-System/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T13:54:00.449255Z", "id": "CVE-2026-5333", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:54:13.691Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5333", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-01T14:01:58.729Z", "datePublished": "2026-04-02T13:30:14.585Z", "dateUpdated": "2026-04-02T13:54:13.691Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-02T13:30:14.585Z"}, "title": "DefaultFuction Content-Management-System tools.php command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "DefaultFuction", "product": "Content-Management-System", "versions": [{"version": "1.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in DefaultFuction Content-Management-System 1.0. This issue affects some unknown processing of the file /admin/tools.php. The manipulation of the argument host results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-01T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-01T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-01T16:07:03.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Practice (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/354667", "name": "VDB-354667 | DefaultFuction Content-Management-System tools.php command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354667/cti", "name": "VDB-354667 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780849", "name": "Submit #780849 | DefaultFuction CMS V1.0.0 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/DefaultFuction/Content-Management-System/issues/1", "tags": ["issue-tracking"]}, {"url": "https://github.com/DefaultFuction/Content-Management-System/issues/1#issue-4082558620", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/DefaultFuction/Content-Management-System/", "tags": ["product"]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5333", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T13:54:00.449255Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:54:04.693Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in DefaultFuction Content-Management-System 1.0. This issue affects some unknown processing of the file /admin/tools.php. The manipulation of the argument host results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks."}], "id": "CVE-2026-5333", "lastModified": "2026-04-02T14:16:36.827", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-02T14:16:36.827", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/DefaultFuction/Content-Management-System/"}, {"source": "cna@vuldb.com", "url": "https://github.com/DefaultFuction/Content-Management-System/issues/1"}, {"source": "cna@vuldb.com", "url": "https://github.com/DefaultFuction/Content-Management-System/issues/1#issue-4082558620"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/780849"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354667"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354667/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "content-management-system", "vendor": "defaultfuction"}], "analysis": {"en": {"generated_at": "2026-04-02T15:05:46.041627+00:00", "value": {"mitigation_remediation": ["Apply any available patch or newer release of DefaultFuction CMS that removes the command injection flaw.", "If a patch is unavailable, disable or restrict access to /admin/tools.php to trusted administrative IPs or authenticated users only.", "Validate and sanitize the 'host' parameter on the server side to prevent command execution (e.g., escape shell arguments or use safe APIs).", "Monitor web server logs for suspicious requests directed at /admin/tools.php and block offending IPs.", "Verify that the CMS is up to date on other components and perform a security audit of other admin scripts."], "summary": {"action": "Immediate Patch", "impact": "Command Injection"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in DefaultFuction Content\u2011Management\u2011System version 1.0. The affected component is the admin tools script /admin/tools.php. Only users who have access to the administrative interface are at risk, but the exploit can be triggered remotely if the endpoint is reachable.", "description_and_impact": "An attacker can supply a specially crafted 'host' parameter to /admin/tools.php in DefaultFuction CMS 1.0, causing the server to execute arbitrary operating\u2011system commands. This allows remote code execution, giving the attacker full control over the compromised server, with potential loss of confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS base score of 6.9 indicates a medium severity. No EPSS score is publicly available, and the flaw is not listed in CISA's KEV catalogue, suggesting that widespread exploitation is not yet confirmed. However, the public exploit has been released, and the attack can be performed remotely by sending a crafted request to the host parameter, which indicates a low barrier to entry. Administrators should consider the risk high enough to apply remediation immediately."}}}}, "created": "2026-04-02T20:12:32.295555+00:00", "updated": "2026-04-02T20:21:12.380303+00:00", "vendors": ["defaultfuction", "defaultfuction$PRODUCT$content-management-system"]}