CVE-2026-49953— Discuz! X5.0 CAPTCHA Bypass via Predictable Character Set
Possible ATT&CK Techniques 2AI
T1110.003 · Password Spraying T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Discuz! | Discuz! X5.0 | 20260320≤ 20260610 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-49953
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Discuz! X5.0 CAPTCHA Bypass via Predictable Character Set
Source: NVD (National Vulnerability Database)
Vulnerability Description
Discuz! X5.0 releases 20260320 through 20260610 contains a CAPTCHA bypass vulnerability that allows unauthenticated remote attackers to defeat challenge controls by exploiting limited complexity and predictable character sets in generated CAPTCHA images. Attackers can train a custom optical character recognition model against collected CAPTCHA samples to reliably predict challenge text, bypassing protections on login, registration, and other functionality from automated abuse.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
可猜测的验证码
Source: NVD (National Vulnerability Database)
Vulnerability Title
Discuz! X5.0 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Discuz! X5.0是Discuz!团队的一款PHP网络论坛程序。 Discuz! X5.0 20260320版本至20260610之前版本存在授权问题漏洞,该漏洞源于生成的CAPTCHA图像复杂性和字符集可预测,可能导致未经身份验证的远程攻击者通过训练光学字符识别模型绕过验证控制,从而绕过登录、注册等功能的防护。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Discuz! | Discuz! X5.0 | 20260320 ~ 20260610 | - |
II. Public POCs for CVE-2026-49953
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-49953
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-49953 (2)
- 🔗 Discuz! <= X5.0 OCR-based CAPTCHA Bypass Vulnerability | Karma(In)Securitytechnical-description
Same Patch Batch · Discuz! · 2026-06-15 · 3 CVEs total
| CVE-2026-49952 | 9.1 CRITICAL | Discuz! X5.0 Authentication Bypass via dbbak.php Encryption Oracle |
| CVE-2026-49954 | 7.2 HIGH | Discuz! X5.0 Local File Inclusion via enable_disable.php Plugin Directory |
IV. Related Vulnerabilities
Same weakness: CWE-804
- CVE-2026-40935
WWBN/AVideo has CAPTCHA Bypass via Attacker-Controlled Lengt - CVE-2026-27411
WordPress SiteGuard WP plugin plugin <= 1.7.9 - Captcha Bypa - CVE-2025-10423
newbee-mall kaptcha mallKaptcha Captcha - CVE-2025-8546
atjiu pybbs Verification Code login Captcha - CVE-2025-32036
DNN allows the possibility of bypassing Captcha
V. Comments for CVE-2026-49953
No comments yet