CVE-2026-5248
CVE-2026-5248 is a medium-severity vulnerability with a CVSS 3.x base score of 6.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-913.
Key facts
- Severity: Medium (CVSS 3.x base score 6.3)
- CVSS v2: 6.5
- CVSS v4: 2.1
- EPSS exploit prediction: 0% (15th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-17747
- Weakness: CWE-913
- Published:
- Last modified:
Description
A vulnerability has been found in gougucms 4.08.18. This affects the function reg_submit of the file gougucms-master\app\home\controller\Login.php of the component User Registration Handler. Such manipulation of the argument level leads to dynamically-determined object attributes. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Frequently asked questions
- What is CVE-2026-5248?
- A vulnerability has been found in gougucms 4.08.18. This affects the function reg_submit of the file gougucms-master\app\home\controller\Login.php of the component User Registration Handler. Such manipulation of the argument level leads to dynamically-determined object attributes. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- How severe is CVE-2026-5248?
- CVE-2026-5248 has a CVSS 3.x base score of 6.3, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability low.
- Is CVE-2026-5248 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (15th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2026-5248?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-5248 have an EU (EUVD) identifier?
- Yes. CVE-2026-5248 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-17747.
- When was CVE-2026-5248 published?
- CVE-2026-5248 was published on 2026-04-01 and last updated on 2026-06-17.
References
- https://thinhneee.github.io/posts/gougu-mass-assign/
- https://vuldb.com/submit/780589
- https://vuldb.com/vuln/354429
- https://vuldb.com/vuln/354429/cti
Other CWE-913 vulnerabilities
- CVE-2026-47208 — Critical (CVSS 10.0): vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout…
- CVE-2026-47137 — Critical (CVSS 10.0): vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx (CVE-2023-37903)…
- CVE-2026-47131 — Critical (CVSS 10.0): vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining…
- CVE-2023-29017 — Critical (CVSS 10.0): vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was…
- CVE-2022-36067 — Critical (CVSS 10.0): vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version…
- CVE-2026-34156 — Critical (CVSS 9.9): NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior…