CVE-2026-36239

Vulnerability

PbootCMS v3.2.11 (and earlier versions up to 3.2.12) contains a code injection vulnerability in the site configuration functionality. The decode_string() function in /apps/home/controller/ParserController.php (line 261) applies stripcslashes() followed by htmlspecialchars_decode() to the input, which effectively reverses HTML entity encoding and escape sequences, allowing executable PHP code to be restored and directly echoed into the template output. The vulnerable code path is reachable when any frontend page uses the {pboot:sitecopyright} template tag [1], [2].

Exploitation

An attacker must have authenticated administrative access to the PbootCMS backend (e.g., via credential reuse, session hijacking, or phishing). The attacker navigates to the site configuration page (/admin.php?p=/Site/mod), injects a malicious PHP payload into the “Footer Information” field—for example <?php file_put_contents('shell.php', '<?php echo "vuln"; ?>');?>, saves the configuration, triggers a template cache clearance (/admin.php?p=/Index/clearCache), and then visits any frontend page that includes {pboot:sitecopyright}. This sequence causes the injected payload to be executed server-side [2].

Impact

Successful exploitation allows arbitrary remote code execution in the server’s runtime context. The attacker can write files (e.g., a web shell) to the web root, leading to full system compromise. This represents a complete loss of confidentiality, integrity, and availability [2].

Mitigation

The vendor was notified; the issue is present in PbootCMS versions up to 3.2.12. As of the publication date of this CVE (2026-05-26), no official patched release has been confirmed. Users should restrict administrative access, apply the principle of least privilege, and monitor the official PbootCMS website for updates [1], [2]. If possible, disable the {pboot:sitecopyright} tag or apply input validation and sanitization on server-side before rendering.