CVE-2026-49953

Discuz! X5.0 CAPTCHA Bypass via Predictable Character Set

CVSS 6.9 MEDIUMEPSS 0.4%CWE-804

Discuz! X5.0 releases 20260320 through 20260610 contains a CAPTCHA bypass vulnerability that allows unauthenticated remote attackers to defeat challenge controls by exploiting limited complexity and predictable character sets in generated CAPTCHA images. Attackers can train a custom optical character recognition model against collected CAPTCHA samples to reliably predict challenge text, bypassing protections on login, registration, and other functionality from automated abuse.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products

Discuz! · Discuz! X5.0

public PoCs found — 1

cve_referencekarmainsecurity.com/chaining-bugs-in-discuz-from-race-condition-to-rceunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://seclists.org/fulldisclosure/2026/Jun/4 https://karmainsecurity.com/chaining-bugs-in-discuz-from-race-condition-to-rce https://karmainsecurity.com/KIS-2026-10 https://www.vulncheck.com/advisories/discuz-x5-0-captcha-bypass-via-predictable-character-set