Executive Summary

CVE-2026-10273 is a critical security vulnerability in PHP Censor, specifically in the webhook endpoint component. The vulnerability arises because the commitId parameter, received from unauthenticated webhook requests, is passed unsanitized into shell commands such as git checkout and git log. This allows an attacker to perform OS command injection remotely by manipulating the commitId argument.

The webhook controller bypasses authentication checks, enabling attackers to send crafted requests without credentials. The vulnerability was fixed by applying the escapeshellarg() function to sanitize the commitId parameter, preventing shell metacharacters from being interpreted and thus blocking command injection.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthenticated remote attackers to execute arbitrary operating system commands on the server running PHP Censor. By exploiting the unsanitized commitId parameter in webhook requests, attackers can gain full remote code execution capabilities.

• Execute arbitrary system commands with root privileges.
• Read sensitive files on the server.
• Establish persistent access to the compromised system.
• Pivot to internal networks and compromise other systems.
• Compromise the software supply chain by injecting malicious code during build processes.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unsanitized input parameters (commitId and branch) being passed to shell commands in the PHP Censor webhook endpoint, which can lead to remote OS command injection.

To detect exploitation attempts on your system or network, you can monitor for unusual or suspicious webhook requests to the endpoint /webhook/git/<projectId> that include shell metacharacters such as $(), backticks, or other command injection patterns in the commitId or branch parameters.

Example commands to detect suspicious webhook requests in web server logs or access logs might include:

• grep -E 'branch=.*\$\(|branch=.*`' /var/log/nginx/access.log
• grep -E 'commitId=.*\$\(|commitId=.*`' /var/log/nginx/access.log

Additionally, monitoring running processes or command execution logs for unexpected git commands with unusual arguments may help detect exploitation.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to apply the official patch that sanitizes the commitId and branch parameters using the PHP function escapeshellarg(), preventing command injection.

If immediate patching is not possible, consider restricting access to the webhook endpoint (/webhook/git/<projectId>) to trusted IP addresses or networks to prevent unauthenticated remote exploitation.

Additionally, monitor and block suspicious webhook requests containing shell metacharacters in parameters.

Upgrading PHP Censor to version 2.1.6 or later, which includes the fix, is strongly recommended.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in php-censor allows unauthenticated remote attackers to execute arbitrary OS commands on the server by exploiting unsanitized input in webhook parameters. This can lead to unauthorized access to sensitive data, potential data breaches, and compromise of system integrity.

Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, ensuring confidentiality, integrity, and availability of systems.

If exploited, this vulnerability could result in exposure or manipulation of protected data, violating regulatory requirements and potentially leading to legal and financial consequences.

Useful 0 Not Useful 0