CVE-2026-10273
Command Injection in php-censor via GitBuild Webhook
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| php-censor | php-censor | to 2.1.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10273 is a critical security vulnerability in PHP Censor, specifically in the webhook endpoint component. The vulnerability arises because the commitId parameter, received from unauthenticated webhook requests, is passed unsanitized into shell commands such as git checkout and git log. This allows an attacker to perform OS command injection remotely by manipulating the commitId argument.
The webhook controller bypasses authentication checks, enabling attackers to send crafted requests without credentials. The vulnerability was fixed by applying the escapeshellarg() function to sanitize the commitId parameter, preventing shell metacharacters from being interpreted and thus blocking command injection.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated remote attackers to execute arbitrary operating system commands on the server running PHP Censor. By exploiting the unsanitized commitId parameter in webhook requests, attackers can gain full remote code execution capabilities.
- Execute arbitrary system commands with root privileges.
- Read sensitive files on the server.
- Establish persistent access to the compromised system.
- Pivot to internal networks and compromise other systems.
- Compromise the software supply chain by injecting malicious code during build processes.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unsanitized input parameters (commitId and branch) being passed to shell commands in the PHP Censor webhook endpoint, which can lead to remote OS command injection.
To detect exploitation attempts on your system or network, you can monitor for unusual or suspicious webhook requests to the endpoint /webhook/git/<projectId> that include shell metacharacters such as $(), backticks, or other command injection patterns in the commitId or branch parameters.
Example commands to detect suspicious webhook requests in web server logs or access logs might include:
- grep -E 'branch=.*\$\(|branch=.*`' /var/log/nginx/access.log
- grep -E 'commitId=.*\$\(|commitId=.*`' /var/log/nginx/access.log
Additionally, monitoring running processes or command execution logs for unexpected git commands with unusual arguments may help detect exploitation.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to apply the official patch that sanitizes the commitId and branch parameters using the PHP function escapeshellarg(), preventing command injection.
If immediate patching is not possible, consider restricting access to the webhook endpoint (/webhook/git/<projectId>) to trusted IP addresses or networks to prevent unauthenticated remote exploitation.
Additionally, monitor and block suspicious webhook requests containing shell metacharacters in parameters.
Upgrading PHP Censor to version 2.1.6 or later, which includes the fix, is strongly recommended.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in php-censor allows unauthenticated remote attackers to execute arbitrary OS commands on the server by exploiting unsanitized input in webhook parameters. This can lead to unauthorized access to sensitive data, potential data breaches, and compromise of system integrity.
Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, ensuring confidentiality, integrity, and availability of systems.
If exploited, this vulnerability could result in exposure or manipulation of protected data, violating regulatory requirements and potentially leading to legal and financial consequences.