Security Advisory - Published 2026-06-16 - Discuz! Forum
Discuz! X5.0 CVE-2026-49952 and CVE-2026-49954: check the release, admin paths, and files
Discuz! X5.0 sites running 2026 spring releases need a direct review. CVE-2026-49952 affects releases 20260320 through 20260501 and is fixed in 20260510 or newer. CVE-2026-49954 affects X5.0 releases 20260320 through 20260610, with older X3.4 and X3.5 releases listed as possibly affected by the researcher.
Who should check
| CVE | CVE-2026-49952 and CVE-2026-49954 |
|---|---|
| Product | Discuz! X5.0, with X3.4 and X3.5 needing extra attention for CVE-2026-49954 |
| High-risk setup | Public forum, reachable admin area, stale administrator accounts, enabled plugin upload or import workflow, exposed backup or restore tooling |
| Fix posture | Upgrade CVE-2026-49952 exposure to Discuz_X5.0_20260510 or newer. For CVE-2026-49954, restrict admin access and monitor vendor guidance because the public advisory lists no official fix. |
Version and exposure check
- Record the Discuz release string, build date, and source package used for the live forum.
- Check whether administrator login, plugin management, backup, restore, upload, and application-center workflows are reachable from the public internet.
- List all administrator and founder accounts, including old staff and shared maintenance users.
- Confirm whether backups are stored under a web-reachable path or synced to a public object bucket.
What to review in logs
rg -n "admin|plugin|backup|restore|dbbak|upload|install|enable|disable" logs/ data/ uc_client/ source/ 2>nul
rg -n "POST .*admin|POST .*plugin|POST .*upload|POST .*backup|POST .*restore" logs/ 2>nul A clean review has no unfamiliar administrator logins, no unexpected backup export or restore activity, no plugin import outside approved maintenance, and no repeated access to sensitive admin paths from addresses that are not part of your normal operation.
File and plugin review
- Check recently changed PHP files under plugin, upload, cache, data, config, and application directories.
- Review new plugin packages, changed plugin metadata, and plugin enable or disable events after June 15, 2026.
- Look for unknown archives, double extensions, PHP files in upload-like paths, changed include files, and modified `.htaccess` or Nginx rules.
- Preserve timestamps and owner/group metadata before deleting suspicious files.
Safe fix path
- Upgrade Discuz! X5.0 installations affected by CVE-2026-49952 to release 20260510 or newer.
- Put the administrator area behind VPN, IP allow-listing, or a private maintenance path while CVE-2026-49954 review is open.
- Disable stale administrators, rotate founder/admin credentials, and remove shared maintenance accounts.
- Disable plugin upload or import workflows unless they are needed for a scheduled maintenance window.
- Move backup files outside the web root and remove public access to restore tooling.
- Recheck the forum with normal browsing, login, posting, attachments, and search before reopening unrestricted admin access.
Signs the forum needs incident review
- Unknown administrator sessions, password resets, or role changes.
- Unexpected database backup exports, restores, or large archive downloads.
- Plugin imports or enable/disable actions that do not match a maintenance ticket.
- New PHP files in upload, cache, data, plugin, or template directories.
- Changed configuration, scheduled tasks, mail settings, payment settings, or outbound webhook URLs.
Repair help
Use Ping7 CVE Repair when the forum was public, admin access was broadly exposed, logs show unknown admin activity, or suspicious files appear under plugin or upload paths. Send the Discuz release, hosting type, admin exposure, and the first suspicious timestamp.