{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26682", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-02-26T18:53:00.554Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-02-26T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-26T16:53:42.684Z"}, "descriptions": [{"lang": "en", "value": "An issue in fastCMS before v.0.1.6 allows a local attacker to execute arbitrary code via the PluginController.java component"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/sorzs/test/tree/main/fastcms-rce"}, {"url": "https://gist.github.com/sorzs/e3913b814e2e5548aa66de6c25b0510a"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T18:52:24.335722Z", "id": "CVE-2026-26682", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T18:53:00.554Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26682", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-26T18:52:24.335722Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T18:51:12.646Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/sorzs/test/tree/main/fastcms-rce"}, {"url": "https://gist.github.com/sorzs/e3913b814e2e5548aa66de6c25b0510a"}], "descriptions": [{"lang": "en", "value": "An issue in fastCMS before v.0.1.6 allows a local attacker to execute arbitrary code via the PluginController.java component"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-26T16:53:42.684Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26682", "state": "PUBLISHED", "dateUpdated": "2026-02-26T18:53:00.554Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-02-26T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xjd2020:fastcms:*:*:*:*:*:*:*:*", "matchCriteriaId": "A1447FD1-1B56-4623-9F22-32D55BB477DB", "versionEndExcluding": "0.1.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in fastCMS before v.0.1.6 allows a local attacker to execute arbitrary code via the PluginController.java component"}], "id": "CVE-2026-26682", "lastModified": "2026-03-03T20:06:53.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-26T18:23:07.347", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://gist.github.com/sorzs/e3913b814e2e5548aa66de6c25b0510a"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/sorzs/test/tree/main/fastcms-rce"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.1.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "fastcms", "vendor": "my-fastcms"}], "analysis": {"en": {"generated_at": "2026-04-18T10:30:39.106004+00:00", "value": {"mitigation_remediation": ["Upgrade FastCMS to version 0.1.6 or later, which resolves the code\u2011injection issue.", "Restrict local shell access on servers that host FastCMS to trusted users only, mitigating the local attack surface.", "If an upgrade is not immediately possible, apply tighter file permissions to the PluginController module and audit custom plugins for unsafe input handling."], "summary": {"action": "Patch", "impact": "Local code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects FastCMS by Xjd2020. All releases prior to 0.1.6 are impacted; no other vendors or products are listed in the CNA data.", "description_and_impact": "FastCMS versions earlier than 0.1.6 contain a flaw in the PluginController.java module that permits a local attacker to inject and execute arbitrary code. This weakness matches CWE-94, a code\u2011injection vulnerability, and can allow an attacker with local access to run arbitrary commands, potentially compromising the confidentiality, integrity, and availability of the affected system.", "risk_and_exploitability": "The CVSS score of 7.8 indicates a high severity, while the EPSS of less than 1% suggests a low likelihood of exploitation in the wild. Because the flaw requires local access, remote attackers cannot directly exploit it. It is not listed in the CISA KEV catalog."}}}}, "created": "2026-02-27T09:07:39.284625+00:00", "title": "Local Code Execution via FastCMS PluginController", "updated": "2026-04-18T10:45:43.640246+00:00", "vendors": ["my-fastcms", "my-fastcms$PRODUCT$fastcms"]}