CVE-2026-10072

Vulnerability

CVE-2026-10072 is an arbitrary file upload vulnerability in DreamMaker, developed by Interinfo. The flaw exists in the Java Composer component of DreamMaker versions 2.2 and earlier [1][2]. A privileged remote attacker can upload a malicious file (e.g., a web shell) to the server without proper validation of the file type or content.

Exploitation

An attacker must have administrative privileges (high privileges) to exploit this vulnerability. The attacker can send a crafted HTTP request to the vulnerable endpoint, uploading a web shell file. No user interaction is required beyond the attacker's own actions. The attack vector is network-based (AV:N) with low attack complexity (AC:L) [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary code on the server with the privileges of the web server process. This leads to full compromise of confidentiality, integrity, and availability (C:H/I:H/A:H) [1][2]. The attacker can perform any action on the server, including data theft, malware installation, or further lateral movement.

Mitigation

The vendor recommends updating DreamMaker Java Composer to the latest version [1][2]. As of the publication date (2026-05-29), no specific fixed version number is disclosed in the available references. Users should contact Interinfo for the patch and apply it promptly. No workarounds are mentioned.