Cyber Posture

CVE-2026-26682

HighPublic PoC

Published: 26 February 2026

Published
26 February 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 8.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26682 is a high-severity Code Injection (CWE-94) vulnerability in Xjd2020 Fastcms. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the CVE by requiring timely identification, reporting, and patching of the code injection flaw in PluginController.java to version 0.1.6 or later.

SI-10 Information Input Validation good match
prevent

Prevents arbitrary code execution by enforcing validation of untrusted inputs to the vulnerable PluginController.java component.

AC-6 Least Privilege partial match
prevent

Limits the scope and impact of local low-privilege arbitrary code execution by enforcing least privilege on the fastCMS application processes.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Local code injection (CWE-94) in PluginController directly enables arbitrary code execution from low-privileged context, matching Exploitation for Privilege Escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue in fastCMS before v.0.1.6 allows a local attacker to execute arbitrary code via the PluginController.java component

Deeper analysisAI

CVE-2026-26682 is a code injection vulnerability (CWE-94) in fastCMS versions prior to 0.1.6. The flaw exists in the PluginController.java component, which allows arbitrary code execution. Published on 2026-02-26, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact with local access.

A local attacker with low privileges can exploit the vulnerability through low-complexity means without requiring user interaction. Exploitation grants the ability to execute arbitrary code on the affected system, resulting in high impacts to confidentiality, integrity, and availability.

Mitigation requires upgrading to fastCMS version 0.1.6 or later. Further technical details, including a proof-of-concept, are documented in the referenced sources: a GitHub Gist at https://gist.github.com/sorzs/e3913b814e2e5548aa66de6c25b0510a and a GitHub repository at https://github.com/sorzs/test/tree/main/fastcms-rce.

Details

CWE(s)
CWE-94

Affected Products

xjd2020
fastcms
≤ 0.1.6

CVEs Like This One

CVE-2025-25943Shared CWE-94
CVE-2025-63421Shared CWE-94
CVE-2024-7425Shared CWE-94
CVE-2025-64691Shared CWE-94
CVE-2025-24159Shared CWE-94
CVE-2025-33240Shared CWE-94
CVE-2025-21292Shared CWE-94
CVE-2026-32573Shared CWE-94
CVE-2026-31857Shared CWE-94
CVE-2025-48984Shared CWE-94

References