{"api_version":"1","generated_at":"2026-06-03T19:46:35+00:00","cve":"CVE-2026-10273","urls":{"html":"https://cve.report/CVE-2026-10273","api":"https://cve.report/api/cve/CVE-2026-10273.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-10273","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-10273"},"summary":{"title":"php-censor Webhook Endpoint GitBuild.php os command injection","description":"A vulnerability was found in php-censor up to 2.1.6. This affects an unknown function of the file src/Model/Build/GitBuild.php of the component Webhook Endpoint. Performing a manipulation of the argument commitId results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used. The patch is named cd68d102601320bd319d590b75f7652e66f0685f. It is recommended to apply a patch to fix this issue.","state":"PUBLISHED","assigner":"VulDB","published_at":"2026-06-01 17:16:43","updated_at":"2026-06-03 16:16:25"},"problem_types":["CWE-77","CWE-78","CWE-78 OS Command Injection","CWE-77 Command Injection"],"metrics":[{"version":"4.0","source":"cna@vuldb.com","type":"Secondary","score":"5.5","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"DECLARED","score":"6.9","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P","data":{"baseScore":6.9,"baseSeverity":"MEDIUM","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P","version":"4.0"}},{"version":"3.1","source":"cna@vuldb.com","type":"Secondary","score":"7.3","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.3","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C","data":{"baseScore":7.3,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C","version":"3.1"}},{"version":"3.0","source":"CNA","type":"DECLARED","score":"7.3","severity":"HIGH","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C","data":{"baseScore":7.3,"baseSeverity":"HIGH","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C","version":"3.0"}},{"version":"2.0","source":"cna@vuldb.com","type":"Secondary","score":"7.5","severity":"","vector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"}},{"version":"2.0","source":"CNA","type":"DECLARED","score":"7.5","severity":"","vector":"AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C","data":{"baseScore":7.5,"vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C","version":"2.0"}}],"references":[{"url":"https://vuldb.com/vuln/367552","name":"https://vuldb.com/vuln/367552","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/php-censor/php-censor/issues/442","name":"https://github.com/php-censor/php-censor/issues/442","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://vuldb.com/submit/825315","name":"https://vuldb.com/submit/825315","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/php-censor/php-censor/commit/cd68d102601320bd319d590b75f7652e66f0685f","name":"https://github.com/php-censor/php-censor/commit/cd68d102601320bd319d590b75f7652e66f0685f","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/php-censor/php-censor/pull/441","name":"https://github.com/php-censor/php-censor/pull/441","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://vuldb.com/vuln/367552/cti","name":"https://vuldb.com/vuln/367552/cti","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://vuldb.com/cve/CVE-2026-10273","name":"https://vuldb.com/cve/CVE-2026-10273","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/php-censor/php-censor/","name":"https://github.com/php-censor/php-censor/","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-10273","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-10273","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"php-censor","version":"affected 2.1.0","platforms":[]},{"source":"CNA","vendor":"n/a","product":"php-censor","version":"affected 2.1.1","platforms":[]},{"source":"CNA","vendor":"n/a","product":"php-censor","version":"affected 2.1.2","platforms":[]},{"source":"CNA","vendor":"n/a","product":"php-censor","version":"affected 2.1.3","platforms":[]},{"source":"CNA","vendor":"n/a","product":"php-censor","version":"affected 2.1.4","platforms":[]},{"source":"CNA","vendor":"n/a","product":"php-censor","version":"affected 2.1.5","platforms":[]},{"source":"CNA","vendor":"n/a","product":"php-censor","version":"affected 2.1.6","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-05-31T00:00:00.000Z","lang":"en","value":"Advisory disclosed"},{"source":"CNA","time":"2026-05-31T02:00:00.000Z","lang":"en","value":"VulDB entry created"},{"source":"CNA","time":"2026-05-31T16:24:02.000Z","lang":"en","value":"VulDB entry last update"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"anch0r (VulDB User)","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"10273","cve":"CVE-2026-10273","epss":"0.010200000","percentile":"0.775340000","score_date":"2026-06-02","updated_at":"2026-06-03 00:08:15"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-10273","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-03T15:12:43.751647Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-03T15:13:43.085Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["exploit"],"url":"https://github.com/php-censor/php-censor/pull/441"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"cpes":["cpe:2.3:a:php-censor:php-censor:*:*:*:*:*:*:*:*"],"modules":["Webhook Endpoint"],"product":"php-censor","vendor":"n/a","versions":[{"status":"affected","version":"2.1.0"},{"status":"affected","version":"2.1.1"},{"status":"affected","version":"2.1.2"},{"status":"affected","version":"2.1.3"},{"status":"affected","version":"2.1.4"},{"status":"affected","version":"2.1.5"},{"status":"affected","version":"2.1.6"}]}],"credits":[{"lang":"en","type":"reporter","value":"anch0r (VulDB User)"}],"descriptions":[{"lang":"en","value":"A vulnerability was found in php-censor up to 2.1.6. This affects an unknown function of the file src/Model/Build/GitBuild.php of the component Webhook Endpoint. Performing a manipulation of the argument commitId results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used. The patch is named cd68d102601320bd319d590b75f7652e66f0685f. It is recommended to apply a patch to fix this issue."}],"metrics":[{"cvssV4_0":{"baseScore":6.9,"baseSeverity":"MEDIUM","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P","version":"4.0"}},{"cvssV3_1":{"baseScore":7.3,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C","version":"3.1"}},{"cvssV3_0":{"baseScore":7.3,"baseSeverity":"HIGH","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C","version":"3.0"}},{"cvssV2_0":{"baseScore":7.5,"vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C","version":"2.0"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-78","description":"OS Command Injection","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-77","description":"Command Injection","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-01T16:15:09.557Z","orgId":"1af790b2-7ee1-4545-860a-a788eba489b5","shortName":"VulDB"},"references":[{"name":"VDB-367552 | php-censor Webhook Endpoint GitBuild.php os command injection","tags":["vdb-entry","technical-description"],"url":"https://vuldb.com/vuln/367552"},{"name":"VDB-367552 | CTI Indicators (IOB, IOC, TTP, IOA)","tags":["signature","permissions-required"],"url":"https://vuldb.com/vuln/367552/cti"},{"name":"CVE-2026-10273 | CVE Analysis and Report","tags":["third-party-advisory"],"url":"https://vuldb.com/cve/CVE-2026-10273"},{"name":"Submit #825315 | php-censor <= 2.1.6 OS Command Injection","tags":["third-party-advisory"],"url":"https://vuldb.com/submit/825315"},{"tags":["exploit","issue-tracking"],"url":"https://github.com/php-censor/php-censor/issues/442"},{"tags":["issue-tracking","patch"],"url":"https://github.com/php-censor/php-censor/pull/441"},{"tags":["patch"],"url":"https://github.com/php-censor/php-censor/commit/cd68d102601320bd319d590b75f7652e66f0685f"},{"tags":["product"],"url":"https://github.com/php-censor/php-censor/"}],"tags":["x_open-source"],"timeline":[{"lang":"en","time":"2026-05-31T00:00:00.000Z","value":"Advisory disclosed"},{"lang":"en","time":"2026-05-31T02:00:00.000Z","value":"VulDB entry created"},{"lang":"en","time":"2026-05-31T16:24:02.000Z","value":"VulDB entry last update"}],"title":"php-censor Webhook Endpoint GitBuild.php os command injection"}},"cveMetadata":{"assignerOrgId":"1af790b2-7ee1-4545-860a-a788eba489b5","assignerShortName":"VulDB","cveId":"CVE-2026-10273","datePublished":"2026-06-01T16:15:09.557Z","dateReserved":"2026-05-31T14:18:58.741Z","dateUpdated":"2026-06-03T15:13:43.085Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-01 17:16:43","lastModifiedDate":"2026-06-03 16:16:25","problem_types":["CWE-77","CWE-78","CWE-78 OS Command Injection","CWE-77 Command Injection"],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"10273","Ordinal":"1","Title":"php-censor Webhook Endpoint GitBuild.php os command injection","CVE":"CVE-2026-10273","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"10273","Ordinal":"1","NoteData":"A vulnerability was found in php-censor up to 2.1.6. This affects an unknown function of the file src/Model/Build/GitBuild.php of the component Webhook Endpoint. Performing a manipulation of the argument commitId results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used. The patch is named cd68d102601320bd319d590b75f7652e66f0685f. It is recommended to apply a patch to fix this issue.","Type":"Description","Title":"php-censor Webhook Endpoint GitBuild.php os command injection"}]}}}