CVE-2026-30461

Name of the Vulnerable Software and Affected Versions Daylight Studio FuelCMS version 1.5.2

Description An authenticated remote code execution issue exists when development mode is enabled, git over SSH is active, and a valid .git directory is present in the root. The lack of enforced access control on the add git submodule() function within the '/controllers/Installer.php' endpoint allows an authenticated user to clone an arbitrary repository, such as a PHP shell, into the modules directory and execute it via the browser.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.