Full Report
CERT Polska has received a report about 3 vulnerabilities (from CVE-2026-53690 to CVE-2026-53692) found in Redeight CMS software.
Analysis Summary
# Vulnerability: Multiple Flaws in Redeight CMS (SQLi, RCE, and Weak Cryptography)
## CVE Details
- **CVE ID:** CVE-2026-53690, CVE-2026-53691, CVE-2026-53692
- **CVSS Score:** Not explicitly provided in the source (Estimated: Critical for CVE-2026-53690/91)
- **CWE:**
- CWE-89: SQL Injection (CVE-2026-53690)
- CWE-434: Unrestricted Upload of File with Dangerous Type (CVE-2026-53691)
- CWE-261: Weak Encoding for Password (CVE-2026-53692)
## Affected Systems
- **Products:** Redeight CMS
- **Versions:** 1.0
- **Configurations:** Default installations; specifically the administrative login and file management modules.
## Vulnerability Description
Three distinct vulnerabilities were identified in the Redeight CMS:
1. **CVE-2026-53690 (SQL Injection):** The login endpoint (`/admin/index.php`) fails to sanitize the `userEmail` parameter. Input is directly interpolated into SQL queries without prepared statements, allowing for data extraction.
2. **CVE-2026-53691 (Unrestricted File Upload):** The file addition module (`/admin/index.php?module=pages&mode=FileAdd`) lacks validation for file extensions and MIME types. Files are uploaded to a publicly accessible directory (`/uploads/files/`).
3. **CVE-2026-53692 (Weak Cryptography):** User passwords are stored using the MD5 algorithm without the use of a salt.
## Exploitation
- **Status:** Reported via Coordinated Vulnerability Disclosure (CVD). No active exploitation in the wild mentioned, but technical details are public.
- **Complexity:** Low
- **Attack Vector:**
- **Network:** CVE-2026-53690 (Unauthenticated remote access)
- **Network:** CVE-2026-53691 (Authenticated remote access)
## Impact
- **Confidentiality:** High (Full database extraction via SQLi; password hash cracking via MD5).
- **Integrity:** High (Ability to modify server files and execute code).
- **Availability:** High (Potential for Remote Code Execution (RCE) to compromise the entire host).
## Remediation
### Patches
- As of the publication date (June 30, 2026), specific patch versions are not listed in the advisory. Users of Redeight CMS version 1.0 should contact the vendor for updates.
### Workarounds
- **Disable File Uploads:** Restrict access to the `FileAdd` module until a patch is applied.
- **WAF Implementation:** Deploy a Web Application Firewall to filter SQL injection attempts and block PHP execution in the `/uploads/` directory.
- **Directory Hardening:** Set the `/uploads/files/` directory to non-executable status (e.g., via `.htaccess` or server configuration).
## Detection
- **Indicators of Compromise:**
- Presence of unexpected `.php` files in the `/uploads/files/` directory.
- Unusual SQL syntax or Boolean/Time-based patterns in access logs targeting `/admin/index.php`.
- **Detection methods:**
- Audit database logs for unauthorized queries originating from the web application user.
- Scan for MD5-length strings in user database tables to identify vulnerable password storage.
## References
- CERT Polska Advisory: hxxps://cert[.]pl/en/publications/vulnerabilities-in-redeight-cms-software/
- CVE-2026-53690: hxxps://www[.]cve[.]org/CVERecord?id=CVE-2026-53690
- CVE-2026-53691: hxxps://www[.]cve[.]org/CVERecord?id=CVE-2026-53691
- CVE-2026-53692: hxxps://www[.]cve[.]org/CVERecord?id=CVE-2026-53692