CVE-2026-26682
Received Received - Intake
Arbitrary Code Execution in fastCMS PluginController Before v

Publication date: 2026-02-26

Last updated on: 2026-03-03

Assigner: MITRE

Description
An issue in fastCMS before v.0.1.6 allows a local attacker to execute arbitrary code via the PluginController.java component
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-03
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26682
EUVD
EUVD-2026-8862
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xjd2020 fastcms to 0.1.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-26682 is a Remote Code Execution vulnerability in fastCMS versions up to and including 0.1.6.

The issue occurs due to improper handling of plugin uploads in the PluginController.java component, which allows a local attacker to execute arbitrary code by uploading a specially crafted plugin.

This vulnerability is fixed in fastCMS versions after 0.1.6.

Impact Analysis

This vulnerability allows an attacker with local access to execute arbitrary code on the affected system.

Successful exploitation could lead to full system compromise, unauthorized access, data theft, or disruption of services depending on the privileges of the exploited process.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking if your fastCMS installation is running a version up to and including 0.1.6, as these versions are vulnerable to arbitrary code execution via specially crafted plugin uploads.

To detect exploitation attempts or presence of malicious plugins, you can look for unusual plugin files or uploads in the PluginController.java handling process.

A proof of concept (PoC) exploit is available, which can be used in a controlled environment to test if your system is vulnerable.

  • Check the fastCMS version: `fastcms --version` or check the version in your deployment files.
  • Inspect plugin upload directories for suspicious or unexpected files.
  • Monitor logs for unusual plugin upload activity or execution attempts.
  • Use the PoC from the GitHub repository to test vulnerability in a safe environment: `git clone https://github.com/sorzs/opencve/tree/main/CVE-2026-26682` and follow the instructions.
Mitigation Strategies

The immediate mitigation step is to upgrade fastCMS to a version later than 0.1.6, as the vulnerability is resolved in versions after 0.1.6.

Until you can upgrade, restrict plugin upload capabilities to trusted users only and monitor plugin upload activity closely.

Consider disabling plugin uploads temporarily if possible to prevent exploitation.

Review and harden file upload handling and permissions related to the PluginController.java component.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26682. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart