A critical (CVSS 9.8) arbitrary file upload flaw in Interinfo's DreamMaker lets unauthenticated remote attackers drop web shells and execute arbitrary code on affected servers.
What Is It
CVE-2026-10071 is an Arbitrary File Upload vulnerability (CWE-434) in DreamMaker, a product developed by Interinfo. The flaw permits an unauthenticated remote attacker to upload web shell backdoors to the server and execute them, resulting in arbitrary code execution. The issue was disclosed by TWCERT/CC on 2026-05-29.
The CVSS v3.1 base score is 9.8 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The CVSS v4.0 base score is 9.3 (Critical). Attack vector is network-based, complexity is low, and neither privileges nor user interaction are required.
Why It Matters
The combination of network-reachable attack surface, no authentication requirement, and full confidentiality/integrity/availability impact makes this a one-shot remote code execution primitive. Successful exploitation hands an attacker a web shell; a foothold typically used for credential theft, lateral movement, data exfiltration, and persistence. Because exploitation requires no user interaction, any internet-exposed DreamMaker instance is at immediate risk of opportunistic mass-scanning and compromise.
CISA KEV does not currently list this CVE, so active in-the-wild exploitation has not been confirmed by KEV at the time of writing. Given the low complexity and trivial impact profile, defenders should not wait for KEV inclusion before acting.
What's Vulnerable
- Product: DreamMaker
- Vendor: Interinfo
- Weakness: CWE-434 (Unrestricted Upload of File with Dangerous Type)
The NVD record does not enumerate specific affected CPE versions. Refer to the TWCERT advisories below for vendor-supplied version details and affected build identifiers.
Patch Status
The NVD entry (status: Received, published 2026-05-29) does not include an explicit fixed-version field. Remediation guidance is published by the disclosing coordinator, TWCERT/CC, in the referenced advisories. Administrators should consult the TWCERT bulletins for the vendor's fix, contact Interinfo for an updated build, and, until patched, restrict network exposure of DreamMaker (e.g., remove from the public internet, place behind authenticated VPN, and monitor upload endpoints for anomalous file writes).