CVE-2026-10273 | THREATINT

Description

A vulnerability was found in php-censor up to 2.1.6. This affects an unknown function of the file src/Model/Build/GitBuild.php of the component Webhook Endpoint. Performing a manipulation of the argument commitId results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used. The patch is named cd68d102601320bd319d590b75f7652e66f0685f. It is recommended to apply a patch to fix this issue.

PUBLISHED Reserved 2026-05-31 | Published 2026-06-01 | Updated 2026-06-03 | Assigner VulDB

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

HIGH: 7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

HIGH: 7.3CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

7.5AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C

Problem types

OS Command Injection

Command Injection

Timeline

2026-05-31:	Advisory disclosed
2026-05-31:	VulDB entry created
2026-05-31:	VulDB entry last update

Credits

anch0r (VulDB User) reporter

References

github.com/php-censor/php-censor/pull/441 exploit

vuldb.com/vuln/367552 (VDB-367552 | php-censor Webhook Endpoint GitBuild.php os command injection) vdb-entry technical-description

vuldb.com/vuln/367552/cti (VDB-367552 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/cve/CVE-2026-10273 (CVE-2026-10273 | CVE Analysis and Report) third-party-advisory

vuldb.com/submit/825315 (Submit #825315 | php-censor <= 2.1.6 OS Command Injection) third-party-advisory

github.com/php-censor/php-censor/issues/442 exploit issue-tracking

github.com/php-censor/php-censor/pull/441 issue-tracking patch

github.com/...ommit/cd68d102601320bd319d590b75f7652e66f0685f patch

github.com/php-censor/php-censor/ product

cve.org (CVE-2026-10273)

nvd.nist.gov (CVE-2026-10273)

Download JSON