Description
Pegasus CMS 1.0 contains a remote code execution vulnerability in the extra_fields.php plugin that allows unauthenticated attackers to execute arbitrary commands by exploiting unsafe eval functionality. Attackers can send POST requests to the submit.php endpoint with malicious PHP code in the action parameter to achieve code execution and obtain an interactive shell.
Published: 2026-04-05
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Pegasus CMS 1.0 is vulnerable to remote code execution through the extra_fields.php plugin, which improperly evaluates user-supplied PHP code. An unauthenticated attacker can craft POST requests targeting the submit.php endpoint, inserting malicious PHP code into the action parameter. Successful exploitation grants the attacker the ability to execute arbitrary commands on the webserver, potentially providing full control and an interactive shell. This flaw exposes the system to complete confidentiality, integrity, and availability compromise.

Affected Systems

The vulnerability applies to Pegasus CMS version 1.0, distributed by wisdom. No other versions or products are listed as affected.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, and the lack of available EPSS information means the exploit probability is uncertain but high risk remains due to the lack of authentication requirement. The CISA KEV database does not list this issue, suggesting it is not yet widely exploited, yet the strongly unfettered vector means attackers can reach the target via standard HTTP requests. If the CMS is exposed to the internet, attackers can trivially trigger the vulnerability by sending crafted requests, leading to immediate compromise without additional prerequisites.

Generated by OpenCVE AI on April 5, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch or upgrade Pegasus CMS to a newer version that removes the eval vulnerability.
  • If an official patch is not yet available, restrict external access to the Pegasus CMS web server, allowing only trusted IP addresses to reach the application.
  • Configure a web application firewall to detect and block POST requests containing PHP executable syntax in the action parameter.
  • Enable logging for all POST traffic to the submit.php endpoint and regularly review logs for suspicious activity.

Generated by OpenCVE AI on April 5, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wisdom:pegasus_cms:1.0:*:*:*:*:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Wisdom
Wisdom pegasus Cms
Vendors & Products Wisdom
Wisdom pegasus Cms

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Pegasus CMS 1.0 contains a remote code execution vulnerability in the extra_fields.php plugin that allows unauthenticated attackers to execute arbitrary commands by exploiting unsafe eval functionality. Attackers can send POST requests to the submit.php endpoint with malicious PHP code in the action parameter to achieve code execution and obtain an interactive shell.
Title Pegasus CMS 1.0 Remote Code Execution via extra_fields.php
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Wisdom Pegasus Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T18:21:04.155Z

Reserved: 2026-04-05T15:27:56.011Z

Link: CVE-2019-25687

cve-icon Vulnrichment

Updated: 2026-04-06T18:20:52.925Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-05T21:16:47.490

Modified: 2026-04-24T15:42:55.380

Link: CVE-2019-25687

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:48:22Z

Weaknesses