{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-29839", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-24T17:54:13.568Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-24T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-24T15:38:28.762Z"}, "descriptions": [{"lang": "en", "value": "DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability in /sys_task_add.php."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.dedecms.com/"}, {"url": "https://gist.github.com/w-p-man/43bfdf3c7cf889981d773d1276bb6a62"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-352", "lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T17:53:38.387665Z", "id": "CVE-2026-29839", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T17:54:13.568Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-29839", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T17:53:38.387665Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T17:52:23.713Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://www.dedecms.com/"}, {"url": "https://gist.github.com/w-p-man/43bfdf3c7cf889981d773d1276bb6a62"}], "descriptions": [{"lang": "en", "value": "DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability in /sys_task_add.php."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-24T15:38:28.762Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29839", "state": "PUBLISHED", "dateUpdated": "2026-03-24T17:54:13.568Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-24T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dedecms:dedecms:5.7.118:*:*:*:*:*:*:*", "matchCriteriaId": "FBFA6DA9-ED89-432F-8D0B-71ABD05E149F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability in /sys_task_add.php."}], "id": "CVE-2026-29839", "lastModified": "2026-03-25T20:53:05.983", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-24T16:16:30.787", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://gist.github.com/w-p-man/43bfdf3c7cf889981d773d1276bb6a62"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.dedecms.com/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.7.118"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 97.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "dedecms", "vendor": "dedecms"}], "analysis": {"en": {"generated_at": "2026-03-25T23:52:07.335999+00:00", "value": {"mitigation_remediation": ["Apply the latest DedeCMS release that fixes the CSRF issue in sys_task_add.php.", "If an update is unavailable, restrict direct access to /sys_task_add.php or enforce a CSRF token check before processing requests.", "Deploy a web application firewall rule that flags and blocks suspicious POST requests to sys_task_add.php.", "Monitor the platform for unexpected task-creation activity and review logs for unauthorized changes."], "summary": {"action": "Patch immediately", "impact": "Unauthorized administrative actions via CSRF"}, "threat_synthesis": {"affected_systems": "DedeCMS version 5.7.118 is affected. No other vendors or product versions have been reported. Users deploying this specific release should consider it compromised until a fix is applied.", "description_and_impact": "The vulnerability allows attackers to forge authenticated requests to the sys_task_add.php endpoint. By exploiting it, an attacker can add or modify scheduled tasks within DedeCMS, potentially leading to privilege escalation or preferred actions executed under the authenticated user\u2019s rights. This is identified as a Cross\u2011Site Request Forgery weakness (CWE\u2011352).", "risk_and_exploitability": "The CVSS score of 8.8 reflects a high severity, while an EPSS score of less than 1% suggests a low probability of widespread exploitation in the near term. The vulnerability is not currently listed in CISA\u2019s KEV catalog. Exploitation likely requires that a target user be authenticated and click a crafted URL or submit a forged request, making it a targeted attack vector. If successful, the attacker could perform privileged operations without being authenticated directly. Monitoring for abnormal task creation and applying a patch remain key defenses."}}}}, "created": "2026-03-25T11:48:56.282345+00:00", "title": "Cross\u2011Site Request Forgery in DedeCMS 5.7.118 /sys_task_add.php", "updated": "2026-03-26T12:20:28.240244+00:00", "vendors": ["dedecms", "dedecms$PRODUCT$dedecms"]}