CVE-2026-10273

EUVD-2026-33667

01.06.2026, 17:16

A vulnerability was found in php-censor up to 2.1.6. This affects an unknown function of the file src/Model/Build/GitBuild.php of the component Webhook Endpoint. Performing a manipulation of the argument commitId results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used. The patch is named cd68d102601320bd319d590b75f7652e66f0685f. It is recommended to apply a patch to fix this issue.

Command Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.3 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References

https://github.com/php-censor/php-censor/

https://github.com/php-censor/php-censor/commit/cd68d102601320bd319d590b75f7652e66f0685f

https://github.com/php-censor/php-censor/issues/442

https://github.com/php-censor/php-censor/pull/441

https://vuldb.com/cve/CVE-2026-10273

https://vuldb.com/submit/825315

https://vuldb.com/vuln/367552

https://vuldb.com/vuln/367552/cti