External risk intelligence

Daylight Studio FuelCMS Dwoo Component Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-30457

FuelCMS is a web-based content management system. By design, web applications and CMS platforms are typically deployed as internet-facing services to manage website content, making the underlying components and parsing engines part of a public-facing web surface.

Code Injection

Thedaylightstudio Dwoo

1.1.01.5.2

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in the Daylight Studio FuelCMS software, specifically within its Dwoo parsing component. The flaw allows for arbitrary code execution, meaning an attacker could potentially run any command on the affected system if they can exploit this weakness. The main concern is confirming whether our environment uses this specific software and if it is exposed to potential exploitation.

  • Code execution flaw found in content management software.
  • Confirms relevance and potential exposure to this vulnerability.
  • Assess impact and exposure for our FuelCMS installations.

Attack Path

How an attacker could exploit the issue

An attacker can target the Dwoo parser component within Daylight Studio FuelCMS by sending specially crafted PHP code through a network-accessible interface. This could allow them to execute arbitrary commands on the server, potentially leading to complete system compromise.

  • Requires network access.
  • Triggered by crafted PHP code.
  • Risk: arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

Attackers could execute arbitrary PHP code by exploiting a vulnerability within the `/parser/dwoo` component. This could impact systems running Daylight Studio FuelCMS when the affected component is accessible over the network.

  • PHP code execution.
  • Via crafted PHP code.
  • System compromise may occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and platform teams are likely responsible for addressing this critical vulnerability in the Daylight Studio FuelCMS component. The first practical step is to identify all instances of the affected technology, confirm their exposure and business criticality, and then assign an owner to plan remediation.

  • Assign issue ownership to the relevant team.
  • Verify external exposure and business impact.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Daylight Studio FuelCMS?

FuelCMS is a web-based content management system used to build and manage website content. It relies on internal components like the Dwoo library, which acts as a template parsing engine to render dynamic web pages. Because it is a CMS, it often processes data and templates provided by users or administrators to generate the final HTML output seen by visitors.

What does CWE-94 mean for CVE-2026-30457?

This vulnerability is classified as CWE-94, which refers to Improper Control of Generation of Code. In this specific case, it means the Dwoo component fails to safely distinguish between intended template instructions and malicious commands. As a result, the system can be tricked into executing arbitrary PHP code provided by an attacker instead of just rendering the expected page content.

How is the code execution triggered?

An attacker triggers this flaw by sending specially crafted PHP code to the Dwoo parsing component over the network. It is important to note that this requires the ability to reach the vulnerable component directly; it cannot be triggered by simply visiting a standard page on the site that does not interact with the compromised parsing logic.

Is my system at risk?

According to Halo Surface Signal, you should be concerned if your instance is internet-facing. Because FuelCMS is designed for web content management, it is often deployed publicly. If your installation is reachable from the internet, it provides a direct path for unauthorized actors to attempt to send the malicious code needed to exploit the Dwoo parsing engine.

What should I do first to address this?

Your first step is to perform an inventory of your systems to locate every instance of FuelCMS v1.5.2 running in your environment. Once identified, evaluate whether those instances are accessible from the network. After confirming which systems are affected and their level of exposure, assign an owner to prioritize these instances and begin planning the necessary remediation steps.

References