CVE-2026-5333
CRITICAL WAF: High
CVSS 9.8
Published: 2026-04-02
CWE-77 CWE-77
A security flaw has been discovered in DefaultFuction Content-Management-System 1.0. This issue affects some unknown processing of the file /admin/tools.php. The manipulation of the argument host results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
WAF Coverage Analysis
Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| defaultfuction | content_management_system | 1.0 |
References
- github.com (Product)
- github.com (Exploit, Vendor Advisory)
- github.com (Exploit, Vendor Advisory)
- vuldb.com (Third Party Advisory, VDB Entry)
- vuldb.com (Third Party Advisory, VDB Entry)
- vuldb.com (Permissions Required, VDB Entry)