muslimbek-0x/CVE-2026-48030

# CVE-2026-48030 — OS Command Injection in Pheditor ## Overview | Field | Details | |-------|---------| | **CVE ID** | CVE-2026-48030 | | **Product** | pheditor | | **Vendor** | Hamid Samak | | **Affected Versions** | 2.0.1, 2.0.2, 2.0.3 | | **Patched Version** | 2.0.4 | | **Severity** | Critical | | **CVSS Score** | 9.9 | | **CVSS Vector** | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | | **CWE** | CWE-78 (OS Command Injection) | | **Discovered by** | Muslimbek Burxonov | ## Description A critical OS Command Injection vulnerability exists in the terminal action handler of `pheditor.php`. The `dir` POST parameter is concatenated directly into `shell_exec()` without sanitization, allowing an authenticated attacker to bypass the `TERMINAL_COMMANDS` whitelist and execute arbitrary OS commands. ## Vulnerable Code **pheditor.php, line 586:** $command = $_POST['command']; // ✓ metacharacters checked $dir = $_POST['dir']; // ✗ NOT checked — vulnerable // Check applies to $command only, NOT $dir if (strpos($command, '&') !== false || strpos($command, ';') !== false || strpos($command, '||') !== false) { die(...); } // $dir injected unsanitized into shell_exec $output = shell_exec( (empty($dir) ? null : 'cd ' . $dir . ' && ') . $command . ' && echo \ ; pwd' ); ## Proof of Concept python3 poc.py --target http://TARGET/pheditor.php --password admin See [poc.py](poc.py) for full PoC script. ## Fix **pheditor.php, line 586 — replace:** // BEFORE (vulnerable) 'cd ' . $dir // AFTER (patched) 'cd ' . escapeshellarg($dir) ## References - [GitHub Advisory GHSA-jvc5-6g7q-c843](https://github.com/pheditor/pheditor/security/advisories/GHSA-jvc5-6g7q-c843) - [pheditor v2.0.4 Release](https://github.com/pheditor/pheditor/releases/tag/2.0.4) - [pheditor Repository](https://github.com/pheditor/pheditor) ## Disclaimer This PoC is provided for educational and research purposes only. Use only on systems you have explicit permission to test.