EXECUTIVE SUMMARY:
CVE-2026-48030 with a CVSS score of 9.9 is a critical OS Command Injection vulnerability in the pheditor package, specifically affecting versions 2.0.1 to 2.0.3, which allows an attacker to execute arbitrary OS commands by injecting shell metacharacters into the 'dir' POST parameter, bypassing the TERMINAL_COMMANDS whitelist. This vulnerability occurs because the terminal handler in pheditor.php fails to sanitize the 'dir' parameter, allowing an attacker to inject malicious commands. An attacker can exploit this vulnerability by sending a crafted POST request with a malicious 'dir' parameter, requiring valid credentials and terminal permission enabled, which is the default configuration. If successfully exploited, the attacker gains the capability to execute arbitrary OS commands as the web server user, bypass the TERMINAL_COMMANDS whitelist, and potentially deploy persistent PHP webshells to the webroot. The business impact of this vulnerability is significant, as it can lead to the compromise of sensitive data, disruption of services, and potential lateral movement within the network. The prerequisites for exploitation include having valid credentials and terminal permission enabled, which is the default configuration, making it a relatively low-barrier vulnerability to exploit.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-48030 with a CVSS score of 9.9 is a critical OS Command Injection vulnerability in the pheditor package, specifically affecting versions 2.0.1 to 2.0.3, which allows an attacker to execute arbitrary OS commands by injecting shell metacharacters into the 'dir' POST parameter, bypassing the TERMINAL_COMMANDS whitelist. This vulnerability occurs because the terminal handler in pheditor.php fails to sanitize the 'dir' parameter, allowing an attacker to inject malicious commands. An attacker can exploit this vulnerability by sending a crafted POST request with a malicious 'dir' parameter, requiring valid credentials and terminal permission enabled, which is the default configuration. If successfully exploited, the attacker gains the capability to execute arbitrary OS commands as the web server user, bypass the TERMINAL_COMMANDS whitelist, and potentially deploy persistent PHP webshells to the webroot. The business impact of this vulnerability is significant, as it can lead to the compromise of sensitive data, disruption of services, and potential lateral movement within the network. The prerequisites for exploitation include having valid credentials and terminal permission enabled, which is the default configuration, making it a relatively low-barrier vulnerability to exploit.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update pheditor to version 2.0.4.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-jvc5-6g7q-c843