CVE-2026-30460
HIGH WAF: Medium
CVSS 8.8
Published: 2026-04-07
CWE-94
Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability in the Blocks module.
WAF Coverage Analysis
Code Injection
Medium WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution 933xxx - PHP Injection 934xxx - Node.js / Generic Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| thedaylightstudio | fuel_cms | 1.5.2 |
References
- daylight.com (Not Applicable)
- fuelcms.com (Product)
- github.com (Product)
- pentest-tools.com (Exploit, Third Party Advisory)