Cyber Resilience

CVE-2026-10273

Medium

Published: 01 June 2026

Published
01 June 2026
Modified
03 June 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0137 68.3th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-10273 is a medium-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 5.5 (Medium).

Operationally, ranked in the top 31.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2026-10273 is an OS command injection vulnerability affecting php-censor versions up to 2.1.6. It resides in an unknown function of the src/Model/Build/GitBuild.php file within the Webhook Endpoint component and is triggered by improper handling of the commitId argument, as indicated by the associated CWE-77 and CWE-78 classifications.

The flaw can be exploited remotely by unauthenticated attackers who supply a malicious commitId value to the webhook endpoint, resulting in arbitrary operating system command execution on the server with limited impact to confidentiality, integrity, and availability.

Project maintainers have published a patch under commit cd68d102601320bd319d590b75f7652e66f0685f that addresses the issue, and applying this update is recommended; further details appear in the associated GitHub repository, pull request, and issue tracker.

The exploit has been made public, yet the EPSS score has remained flat at 0.0214 with no material rise from its initial value.

EU & UK References

Vulnerability details

A vulnerability was found in php-censor up to 2.1.6. This affects an unknown function of the file src/Model/Build/GitBuild.php of the component Webhook Endpoint. Performing a manipulation of the argument commitId results in os command injection. The attack can be initiated…

more

remotely. The exploit has been made public and could be used. The patch is named cd68d102601320bd319d590b75f7652e66f0685f. It is recommended to apply a patch to fix this issue.

CWE(s)

Related Threats

CVEs Like This One

CVE-2026-5352Shared CWE-77, CWE-78
CVE-2026-7037Shared CWE-77, CWE-78
CVE-2025-1339Shared CWE-77, CWE-78
CVE-2026-8229Shared CWE-77, CWE-78
CVE-2026-5688Shared CWE-77, CWE-78
CVE-2026-9404Shared CWE-77, CWE-78
CVE-2026-2544Shared CWE-77, CWE-78
CVE-2026-48694Shared CWE-77, CWE-78
CVE-2025-8825Shared CWE-77, CWE-78
CVE-2025-3002Shared CWE-77, CWE-78

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References