CVE-2026-49953: Guessable CAPTCHA in Discuz! Discuz! X5.0
Discuz! X5.0 releases 20260320 through 20260610 contains a CAPTCHA bypass vulnerability that allows unauthenticated remote attackers to defeat challenge controls by exploiting limited complexity and predictable character sets in generated CAPTCHA images. Attackers can train a custom optical character recognition model against collected CAPTCHA samples to reliably predict challenge text, bypassing protections on login, registration, and other functionality from automated abuse.
AI Analysis
Technical Summary
CVE-2026-49953 affects Discuz! X5.0 releases from 20260320 through 20260501. The vulnerability arises from the use of CAPTCHAs with limited complexity and predictable character sets, enabling attackers to train optical character recognition models to bypass CAPTCHA challenges. This bypass can be exploited remotely without authentication to circumvent protections on login, registration, and other functionalities that rely on CAPTCHA to prevent automated abuse. The CVSS 4.0 base score is 6.9, reflecting a medium severity with network attack vector, low attack complexity, and no required privileges or user interaction. No vendor advisory or patch information is currently provided.
Potential Impact
The vulnerability allows unauthenticated remote attackers to bypass CAPTCHA protections by predicting the challenge text using trained OCR models. This can lead to automated abuse of login, registration, and other CAPTCHA-protected functionalities. While it does not directly lead to system compromise, it undermines a key anti-automation control, increasing the risk of credential stuffing, spam registrations, or other automated attacks.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, consider implementing alternative CAPTCHA mechanisms with higher complexity or multi-factor protections to reduce the risk of automated abuse. Monitor for updates from the vendor regarding official patches or mitigations.
CVE-2026-49953: Guessable CAPTCHA in Discuz! Discuz! X5.0
Description
Discuz! X5.0 releases 20260320 through 20260610 contains a CAPTCHA bypass vulnerability that allows unauthenticated remote attackers to defeat challenge controls by exploiting limited complexity and predictable character sets in generated CAPTCHA images. Attackers can train a custom optical character recognition model against collected CAPTCHA samples to reliably predict challenge text, bypassing protections on login, registration, and other functionality from automated abuse.
CVSS v4.0
Score 6.9medium
Affected software
pkg:github/discuz/discuz-x5.0Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-49953 affects Discuz! X5.0 releases from 20260320 through 20260501. The vulnerability arises from the use of CAPTCHAs with limited complexity and predictable character sets, enabling attackers to train optical character recognition models to bypass CAPTCHA challenges. This bypass can be exploited remotely without authentication to circumvent protections on login, registration, and other functionalities that rely on CAPTCHA to prevent automated abuse. The CVSS 4.0 base score is 6.9, reflecting a medium severity with network attack vector, low attack complexity, and no required privileges or user interaction. No vendor advisory or patch information is currently provided.
Potential Impact
The vulnerability allows unauthenticated remote attackers to bypass CAPTCHA protections by predicting the challenge text using trained OCR models. This can lead to automated abuse of login, registration, and other CAPTCHA-protected functionalities. While it does not directly lead to system compromise, it undermines a key anti-automation control, increasing the risk of credential stuffing, spam registrations, or other automated attacks.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, consider implementing alternative CAPTCHA mechanisms with higher complexity or multi-factor protections to reduce the risk of automated abuse. Monitor for updates from the vendor regarding official patches or mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-06-02T16:30:15.232Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3052e10b89be68888274a2
Added to database: 6/15/2026, 7:30:41 PM
Last enriched: 6/15/2026, 8:01:52 PM
Last updated: 6/16/2026, 6:31:05 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.