SecuriTricks - CVE-2026-49953

Description

Discuz! X5.0 releases 20260320 through 20260610 contains a CAPTCHA bypass vulnerability that allows unauthenticated remote attackers to defeat challenge controls by exploiting limited complexity and predictable character sets in generated CAPTCHA images. Attackers can train a custom optical character recognition model against collected CAPTCHA samples to reliably predict challenge text, bypassing protections on login, registration, and other functionality from automated abuse.

Product(s) Impacted

Vendor	Product	Versions
Discuz	Discuz	*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-804

Guessable CAPTCHA

The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	discuz	discuz	/	x5.0	20260320-20260501	/	/	/	/	/

References

https://karmainsecurity.com/KIS-2026-10

https://karmainsecurity.com/chaining-bugs-in-discuz-from-race-condition-to-rce

https://www.vulncheck.com/advisories/discuz-x5-0-captcha-bypass-via-predictable-character-set

CVSS Score

6.9 / 10

CVSS Data - 4.0

Attack Vector: NETWORK
Attack Complexity: LOW
Attack Requirements: NONE
Privileges Required: NONE
User Interaction: NONE
Scope:
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: NONE
Exploit Maturity: NOT_DEFINED

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

View Vector String

Timeline

Published: June 15, 2026, 8:16 p.m.
Last Modified: June 15, 2026, 9:17 p.m.

Status : Deferred

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-49953