{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30461", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-15T15:37:12.754Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-15T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-15T15:37:12.754Z"}, "descriptions": [{"lang": "en", "value": "Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://daylight.com"}, {"url": "http://fuelcms.com"}, {"url": "https://github.com/daylightstudio/FUEL-CMS/blob/master/fuel/modules/fuel/controllers/Installer.php"}, {"url": "https://pentest-tools.com/PTT-2025-028-Authenticated-RCE-via-Git-Submodules.pdf"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule."}], "id": "CVE-2026-30461", "lastModified": "2026-04-15T16:16:36.050", "metrics": {}, "published": "2026-04-15T16:16:36.050", "references": [{"source": "cve@mitre.org", "url": "http://daylight.com"}, {"source": "cve@mitre.org", "url": "http://fuelcms.com"}, {"source": "cve@mitre.org", "url": "https://github.com/daylightstudio/FUEL-CMS/blob/master/fuel/modules/fuel/controllers/Installer.php"}, {"source": "cve@mitre.org", "url": "https://pentest-tools.com/PTT-2025-028-Authenticated-RCE-via-Git-Submodules.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.5.2"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 98.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "fuel_cms", "vendor": "daylightstudio"}], "analysis": {"en": {"generated_at": "2026-04-15T19:28:55.064418+00:00", "value": {"mitigation_remediation": ["Restrict all access to the /controllers/Installer.php endpoint so that only trusted administrators can reach it, or remove that route entirely.", "Remove or disable the add_git_submodule function from the application code base, ensuring no other entry points allow similar code execution.", "Check the vendor\u2019s website or repository for an updated FuelCMS release that addresses this flaw, and upgrade the installation to a patched version if available."], "summary": {"action": "Assess Impact", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The only affected product listed is Daylight Studio FuelCMS version 1.5.2. No additional vendor or product variations are documented in the CVE entry.", "description_and_impact": "Daylight Studio FuelCMS version 1.5.2 contains an authenticated remote code execution flaw in the Installer controller\u2019s add_git_submodule function. Because the function accepts user input that can influence the execution of git commands, an attacker who authenticates to the application can trigger arbitrary code execution on the host. The weakness aligns with automated code execution vulnerabilities as defined in CWE\u201194, where malicious input leads to compromised execution flow.", "risk_and_exploitability": "The vulnerability is authenticated, meaning an attacker must first gain valid credentials for the application. Once authenticated, the exploit can be performed by sending a crafted request to the /controllers/Installer.php endpoint that invokes add_git_submodule. Because no EPSS score is available and the CISA Known Exploited Vulnerabilities catalog does not list the issue, the publicly measured likelihood of exploitation is unknown. The CVSS metric, if provided elsewhere, would rate it as high due to remote code execution, but the lack of additional data suggests relying on the authenticated nature to gauge operational risk."}}}}, "created": "2026-04-15T19:30:12.404907+00:00", "title": "Authenticated Remote Code Execution via Git Submodule Function in FuelCMS Installer", "updated": "2026-04-15T22:00:06.479303+00:00", "vendors": ["daylightstudio", "daylightstudio$PRODUCT$fuel_cms"], "weaknesses": ["CWE-94"]}