CVE-2026-10581

Name of the Vulnerable Software and Affected Versions DedeCMS version 5.7.88

Description A flaw in the base64 decode() function within the '/plus/download.php?open=1' endpoint allows for server-side request forgery (SSRF), a condition where a server is tricked into making unauthorized requests to internal or external resources. This occurs through the manipulation of the Link argument, enabling remote exploitation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the '/plus/download.php?open=1' endpoint or avoid using the Link parameter until a patch is available.