CVE-2026-10273
Published: 01 June 2026
Summary
CVE-2026-10273 is a medium-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 5.5 (Medium).
Operationally, ranked in the top 31.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2026-10273 is an OS command injection vulnerability affecting php-censor versions up to 2.1.6. It resides in an unknown function of the src/Model/Build/GitBuild.php file within the Webhook Endpoint component and is triggered by improper handling of the commitId argument, as indicated by the associated CWE-77 and CWE-78 classifications.
The flaw can be exploited remotely by unauthenticated attackers who supply a malicious commitId value to the webhook endpoint, resulting in arbitrary operating system command execution on the server with limited impact to confidentiality, integrity, and availability.
Project maintainers have published a patch under commit cd68d102601320bd319d590b75f7652e66f0685f that addresses the issue, and applying this update is recommended; further details appear in the associated GitHub repository, pull request, and issue tracker.
The exploit has been made public, yet the EPSS score has remained flat at 0.0214 with no material rise from its initial value.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-33667
Vulnerability details
A vulnerability was found in php-censor up to 2.1.6. This affects an unknown function of the file src/Model/Build/GitBuild.php of the component Webhook Endpoint. Performing a manipulation of the argument commitId results in os command injection. The attack can be initiated…
more
remotely. The exploit has been made public and could be used. The patch is named cd68d102601320bd319d590b75f7652e66f0685f. It is recommended to apply a patch to fix this issue.
- CWE(s)
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.