Home

Description

Discuz! X5.0 releases 20260320 through 20260610 contains a CAPTCHA bypass vulnerability that allows unauthenticated remote attackers to defeat challenge controls by exploiting limited complexity and predictable character sets in generated CAPTCHA images. Attackers can train a custom optical character recognition model against collected CAPTCHA samples to reliably predict challenge text, bypassing protections on login, registration, and other functionality from automated abuse.

PUBLISHED Reserved 2026-06-02 | Published 2026-06-15 | Updated 2026-06-16 | Assigner VulnCheck




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Problem types

Guessable CAPTCHA

Product status

Default status
unknown

20260320 (date)
affected

Credits

Egidio Romano finder

References

seclists.org/fulldisclosure/2026/Jun/4

karmainsecurity.com/KIS-2026-10 technical-description

karmainsecurity.com/...-in-discuz-from-race-condition-to-rce exploit

www.vulncheck.com/...ha-bypass-via-predictable-character-set third-party-advisory

cve.org (CVE-2026-49953)

nvd.nist.gov (CVE-2026-49953)

Download JSON