CVE-2026-26682
Arbitrary Code Execution in fastCMS PluginController Before v
Publication date: 2026-02-26
Last updated on: 2026-03-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xjd2020 | fastcms | to 0.1.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26682 is a Remote Code Execution vulnerability in fastCMS versions up to and including 0.1.6.
The issue occurs due to improper handling of plugin uploads in the PluginController.java component, which allows a local attacker to execute arbitrary code by uploading a specially crafted plugin.
This vulnerability is fixed in fastCMS versions after 0.1.6.
How can this vulnerability impact me? :
This vulnerability allows an attacker with local access to execute arbitrary code on the affected system.
Successful exploitation could lead to full system compromise, unauthorized access, data theft, or disruption of services depending on the privileges of the exploited process.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your fastCMS installation is running a version up to and including 0.1.6, as these versions are vulnerable to arbitrary code execution via specially crafted plugin uploads.
To detect exploitation attempts or presence of malicious plugins, you can look for unusual plugin files or uploads in the PluginController.java handling process.
A proof of concept (PoC) exploit is available, which can be used in a controlled environment to test if your system is vulnerable.
- Check the fastCMS version: `fastcms --version` or check the version in your deployment files.
- Inspect plugin upload directories for suspicious or unexpected files.
- Monitor logs for unusual plugin upload activity or execution attempts.
- Use the PoC from the GitHub repository to test vulnerability in a safe environment: `git clone https://github.com/sorzs/opencve/tree/main/CVE-2026-26682` and follow the instructions.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade fastCMS to a version later than 0.1.6, as the vulnerability is resolved in versions after 0.1.6.
Until you can upgrade, restrict plugin upload capabilities to trusted users only and monitor plugin upload activity closely.
Consider disabling plugin uploads temporarily if possible to prevent exploitation.
Review and harden file upload handling and permissions related to the PluginController.java component.