CVE-2026-10071

Vulnerability

CVE-2026-10071 is an arbitrary file upload vulnerability in DreamMaker, developed by Interinfo. The affected product is DreamMaker Java Composer version 2.2 and earlier [1][2]. The vulnerability allows an unauthenticated remote attacker to upload files without any restrictions, enabling the upload of a web shell backdoor [1][2].

Exploitation

An attacker does not require any authentication or prior access to the target system. The attack is performed remotely over the network. The attacker crafts a malicious file (e.g., a JSP web shell) and sends it to the vulnerable upload endpoint. The server accepts the file and places it in a web-accessible directory, making the shell executable via a standard HTTP request [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary commands with the privileges of the web server (typically a high-privilege account). This leads to complete compromise of confidentiality, integrity, and availability — the attacker can read, modify, or delete any files, install additional malware, pivot to internal systems, and potentially gain full control of the server [1][2]. The CVSS v3.1 score is 9.8 (Critical) with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [1][2].

Mitigation

The vendor, Interinfo, recommends updating to a version later than DreamMaker Java Composer 2.2 [1][2]. The fixed version is not explicitly named in the available references, but users should apply the latest update provided by Interinfo. No workaround is described. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of publication date [1][2].