CVE-2026-10273
Description
An unauthenticated OS command injection vulnerability in the PHP Censor webhook endpoint allows remote attackers to execute arbitrary system commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated OS command injection vulnerability in the PHP Censor webhook endpoint allows remote attackers to execute arbitrary system commands.
Vulnerability
PHP Censor versions up to 2.1.6 contain an OS command injection vulnerability within the webhook processing logic [1]. The WebhookController is explicitly excluded from authentication checks in src/Application.php, allowing unauthenticated access to the /webhook/git/ endpoint [1]. Within src/Model/Build/GitBuild.php, user-supplied input from the branch and commitId parameters is passed unsanitized into shell commands executed via Symfony's Process::fromShellCommandline(), which interprets shell metacharacters [1][3][4].
Exploitation
An attacker can exploit this vulnerability without authentication by sending a crafted HTTP request to the webhook endpoint [1]. By enumerating a valid projectId—which can be retrieved via the unauthenticated /build-status/image/ endpoint—an attacker can inject arbitrary shell commands into the branch or commitId parameters [1][4]. The application then executes these commands with the privileges of the web server process, which in default Docker deployments is root [1].
Impact
Successful exploitation allows an unauthenticated remote attacker to achieve full Remote Code Execution (RCE) on the underlying server [1]. This results in a complete compromise of the application environment, enabling the attacker to execute arbitrary system commands, access sensitive data, or modify the system configuration [1].
Mitigation
Users should upgrade to a patched version of PHP Censor that incorporates the fixes provided in commit cd68d102601320bd319d590b75f7652e66f0685f [3]. The fix involves applying escapeshellarg() to the branch and commitId parameters before they are interpolated into shell command strings [3][4]. If an immediate upgrade is not possible, ensure the webhook endpoint is restricted via network-level access controls.
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.1.6
Patches
1cd68d1026013fix: also escape commitId parameter in git checkout and git log commands
1 file changed · +3 −3
src/Model/Build/GitBuild.php+3 −3 modified@@ -167,7 +167,7 @@ protected function postCloneSetup(Builder $builder, $cloneTo, array $extra = nul if (empty($this->getEnvironmentId()) && !empty($commitId)) { $cmd = $chdir . ' && git checkout %s --quiet'; - $success = $builder->executeCommand($cmd, $cloneTo, $commitId); + $success = $builder->executeCommand($cmd, $cloneTo, \escapeshellarg($commitId)); } // Always update the commit hash with the actual HEAD hash @@ -176,11 +176,11 @@ protected function postCloneSetup(Builder $builder, $cloneTo, array $extra = nul $this->setCommitId($commitId); - if ($builder->executeCommand($chdir . ' && git log -1 --pretty=format:%%s %s', $cloneTo, $commitId)) { + if ($builder->executeCommand($chdir . ' && git log -1 --pretty=format:%%s %s', $cloneTo, \escapeshellarg($commitId))) { $this->setCommitMessage(\trim($builder->getLastOutput())); } - if ($builder->executeCommand($chdir . ' && git log -1 --pretty=format:%%ae %s', $cloneTo, $commitId)) { + if ($builder->executeCommand($chdir . ' && git log -1 --pretty=format:%%ae %s', $cloneTo, \escapeshellarg($commitId))) { $this->setCommitterEmail(\trim($builder->getLastOutput())); } }
Vulnerability mechanics
Root cause
"The application fails to sanitize the commitId parameter before passing it to shell commands, allowing for OS command injection."
Attack vector
An unauthenticated remote attacker can trigger this vulnerability by sending a crafted request to the webhook endpoint. The commitId parameter is processed by the application and subsequently interpolated into git checkout and git log shell commands [patch_id=4328671]. Because the input is not properly escaped, an attacker can inject arbitrary shell metacharacters to execute system commands [ref_id=1].
Affected code
The vulnerability is located in src/Model/Build/GitBuild.php, specifically within the postCloneSetup function where the commitId parameter is used in git checkout and git log commands [patch_id=4328671].
What the fix does
The patch modifies src/Model/Build/GitBuild.php to wrap the commitId variable in the escapeshellarg() function before it is passed to the builder's executeCommand method [patch_id=4328671]. This ensures that any shell metacharacters provided in the commitId parameter are treated as literal strings rather than executable commands [ref_id=2]. By applying this sanitization to all instances where commitId is used in shell commands, the injection vector is closed [patch_id=4328671].
Preconditions
- networkThe attacker must have network access to the webhook endpoint.
- configThe target must have at least one Git-type project configured [ref_id=1].
Reproduction
As documented in the public exploit reference, an attacker can enumerate a valid project ID via the /build-status/image/{id} endpoint and then trigger command injection by sending a POST request to the webhook endpoint with a malicious payload in the branch or commitId parameters [ref_id=1].
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7News mentions
0No linked articles in our index yet.