Share
## https://sploitus.com/exploit?id=F0DF4512-BAAA-54E1-B871-F32304F2B157
# CVE-2026-48030 โ€” OS Command Injection in Pheditor

## Overview

| Field | Details |
|-------|---------|
| **CVE ID** | CVE-2026-48030 |
| **Product** | pheditor |
| **Vendor** | Hamid Samak |
| **Affected Versions** | 2.0.1, 2.0.2, 2.0.3 |
| **Patched Version** | 2.0.4 |
| **Severity** | Critical |
| **CVSS Score** | 9.9 |
| **CVSS Vector** | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| **CWE** | CWE-78 (OS Command Injection) |
| **Discovered by** | Muslimbek Burxonov |

---

## Description

A critical OS Command Injection vulnerability exists in the terminal action
handler of `pheditor.php`. The `dir` POST parameter is concatenated directly
into `shell_exec()` without sanitization, allowing an authenticated attacker
to bypass the `TERMINAL_COMMANDS` whitelist and execute arbitrary OS commands.

---

## Vulnerable Code

**pheditor.php, line 586:**

```php
$command = $_POST['command'];  // โœ“ metacharacters checked
$dir     = $_POST['dir'];      // โœ— NOT checked โ€” vulnerable

// Check applies to $command only, NOT $dir
if (strpos($command, '&')  !== false ||
    strpos($command, ';')  !== false ||
    strpos($command, '||') !== false) {
    die(...);
}

// $dir injected unsanitized into shell_exec
$output = shell_exec(
    (empty($dir) ? null : 'cd ' . $dir . ' && ')
    . $command . ' && echo \ ; pwd'
);
```

---

## Proof of Concept

```bash
python3 poc.py --target http://TARGET/pheditor.php --password admin
```

See [poc.py](poc.py) for full PoC script.

---

## Fix

**pheditor.php, line 586 โ€” replace:**

```php
// BEFORE (vulnerable)
'cd ' . $dir

// AFTER (patched)
'cd ' . escapeshellarg($dir)
```

---

## References

- [GitHub Advisory GHSA-jvc5-6g7q-c843](https://github.com/pheditor/pheditor/security/advisories/GHSA-jvc5-6g7q-c843)
- [pheditor v2.0.4 Release](https://github.com/pheditor/pheditor/releases/tag/2.0.4)
- [pheditor Repository](https://github.com/pheditor/pheditor)

---

## Disclaimer

This PoC is provided for educational and research purposes only.
Use only on systems you have explicit permission to test.