HIGH 7.3

CVE-2026-10273: Remote Code Execution in php-censor Webhook Handler

php-censor versions up to 2.1.6 contain a remote code execution vulnerability in the webhook processing logic. An attacker can manipulate the commitId parameter sent to the Webhook Endpoint to inject and execute arbitrary operating system commands on the affected server. No authentication is required, and the exploit technique has been publicly disclosed, increasing the likelihood of active exploitation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-77, CWE-78
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A vulnerability was found in php-censor up to 2.1.6. This affects an unknown function of the file src/Model/Build/GitBuild.php of the component Webhook Endpoint. Performing a manipulation of the argument commitId results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used. The patch is named cd68d102601320bd319d590b75f7652e66f0685f. It is recommended to apply a patch to fix this issue.

9 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in src/Model/Build/GitBuild.php within php-censor's webhook endpoint handler. Insufficient input validation on the commitId argument allows an attacker to break out of intended command execution contexts and inject malicious OS commands. The flaw combines aspects of both command injection (CWE-77) and OS command injection (CWE-78), enabling direct shell access with the privileges of the php-censor process. The CVSS v3.1 score of 7.3 reflects high attack complexity scoring due to network accessibility (AV:N), low attack complexity (AC:L), no privilege requirements (PR:N), and no user interaction (UI:N), with potential impact to confidentiality, integrity, and availability.

Business impact

Successful exploitation grants an attacker the ability to execute arbitrary commands on the server, potentially leading to complete system compromise. Risk scenarios include lateral movement within your CI/CD infrastructure, data theft from build logs or connected repositories, deployment of malicious code into production pipelines, and disruption of your continuous integration workflow. Organizations using php-censor as part of their build automation are particularly exposed because attackers can leverage webhook traffic—often from trusted external sources like version control platforms—to bypass initial perimeter controls.

Affected systems

Any organization running php-censor version 2.1.6 or earlier with an exposed webhook endpoint is vulnerable. The webhook handler is typically accessible to external callers (e.g., GitHub, GitLab, Gitea webhook services) to trigger builds on code push events. Verify your php-censor deployment version and confirm whether your webhook endpoints are accessible from the internet or from untrusted networks.

Exploitability

Exploitability is moderate to high. The vulnerability requires no authentication and can be triggered by any actor with network access to the webhook endpoint—including legitimate webhook sources if an attacker can intercept or spoof webhook requests. Public disclosure of the exploit technique increases the risk of automated scanning and weaponized attack tools. However, successful exploitation does depend on the attacker understanding the expected webhook payload structure and crafting a malicious commitId value that achieves command injection in the Git command execution context.

Remediation

Apply the patch identified by commit hash cd68d102601320bd319d590b75f7652e66f0685f to your php-censor installation. This patch should address the input validation flaw in GitBuild.php. Verify the patch version against the official php-censor release notes and repository to ensure you are applying the correct update. As an interim measure, restrict network access to webhook endpoints to only known, trusted webhook sources (e.g., static IP ranges of your version control platform) using firewall rules or web application firewall policies.

Patch guidance

Upgrade php-censor to the version containing commit cd68d102601320bd319d590b75f7652e66f0685f. Consult the official php-censor repository and release notes to determine the next available release version after 2.1.6 that includes this patch. Test the patched version in a non-production environment first to ensure compatibility with your existing build configurations and plugins. After patching, restart all php-censor services and verify that webhook functionality remains operational by triggering a test build from your version control platform.

Detection guidance

Monitor php-censor webhook logs and web server access logs for requests containing suspicious characters or command injection patterns in the commitId parameter (e.g., backticks, dollar signs, pipes, semicolons, or command substitution syntax). Implement intrusion detection signatures that flag attempts to inject OS commands via webhook payloads. Monitor process execution logs on the php-censor server for unexpected shell or command-line processes spawned by the php-censor user account. Network-based detection can also identify anomalous webhook requests from unexpected sources or containing payloads that deviate from normal Git webhook structures.

Why prioritize this

This vulnerability merits prompt attention due to the combination of remote exploitability without authentication, public availability of exploitation techniques, direct impact on code delivery infrastructure, and the potential for supply chain compromise. Attackers can inject malicious code into builds, affecting all downstream consumers of your artifacts. Organizations should prioritize patching this vulnerability within their normal critical patch cycle.

Risk score, explained

The CVSS 7.3 HIGH rating reflects the serious but not critical nature of the flaw. The network attack vector (AV:N) and absence of authentication requirements (PR:N, UI:N) drive severity upward. The impact scope is unchanged (S:U), limiting the score below CRITICAL. However, the low attack complexity (AC:L) and confirmed public exploitability push the practical risk higher than the numeric score alone suggests. Organizations should apply additional risk context: internal exposure of the webhook endpoint lowers practical risk; internet-facing endpoints significantly raise it.

Frequently asked questions

Do we need to patch if our php-censor webhook endpoint is only accessible from internal networks?

Yes, but the urgency may be lower if you have strong network segmentation and can verify that only trusted internal systems can reach the endpoint. However, internal attackers, compromised development systems, or lateral movement from other breaches could still exploit this vulnerability. Patching remains the safest remediation.

Will patching php-censor disrupt our CI/CD pipelines?

Patching should not disrupt pipelines if applied to the same major version line and tested in advance. However, test the patched version in a staging environment to verify that webhook payloads are still processed correctly and that build jobs still trigger as expected. Plan patching during a maintenance window if you want to minimize any transient impact.

What if we cannot patch immediately—what else can we do?

Immediately restrict network access to your php-censor webhook endpoints using firewall rules, reverse proxy ACLs, or security group policies. Limit access to the static IP ranges of your trusted version control platforms. Implement request signing or token validation on incoming webhooks if php-censor supports it. Monitor webhook logs closely for signs of exploitation. These measures reduce exposure but do not eliminate the vulnerability; patching should remain your near-term priority.

How can we tell if our php-censor instance was already compromised?

Review webhook access logs and php-censor build logs for unusual commitId values containing shell metacharacters or command injection patterns. Check process execution logs (e.g., auditd on Linux) for unexpected processes spawned by the php-censor service user. Inspect recent build artifacts and deployment logs for unauthorized code changes. If you discover evidence of compromise, assume your build system may have been used to inject malicious code and review all recent deployments and artifacts for integrity.

This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the publication date. Verify all patch versions, affected product lists, and vendor guidance against official upstream sources and your own environment. CVSS scores represent severity under standard conditions and may not reflect your organization's specific risk context. Test all patches in non-production environments before deployment. SEC.co assumes no liability for damage or loss resulting from reliance on this information or failure to apply patches promptly. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).