CVE-2026-49954

Name of the Vulnerable Software and Affected Versions Discuz! X5.0 versions 20260320 through 20260610

Description An issue exists where authenticated administrators can execute arbitrary code by importing a specially crafted plugin configuration. This is achieved by including path traversal sequences in the directory attribute. By triggering an exception during plugin installation, sanitization routines are bypassed, allowing malicious paths to be stored and subsequently passed to the include() function. When combined with file upload functionality, this leads to arbitrary code execution within the context of the web server user.

Recommendations Update Discuz! X5.0 to a version released after 20260610.