CVE-2026-49953

EUVD-2026-36793

15.06.2026, 20:16

Discuz! X5.0 releases 20260320 through 20260610 contains a CAPTCHA bypass vulnerability that allows unauthenticated remote attackers to defeat challenge controls by exploiting limited complexity and predictable character sets in generated CAPTCHA images. Attackers can train a custom optical character recognition model against collected CAPTCHA samples to reliably predict challenge text, bypassing protections on login, registration, and other functionality from automated abuse.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-804 - Guessable CAPTCHA
The software uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.

References

https://karmainsecurity.com/KIS-2026-10

https://karmainsecurity.com/chaining-bugs-in-discuz-from-race-condition-to-rce

https://www.vulncheck.com/advisories/discuz-x5-0-captcha-bypass-via-predictable-character-set