Primary

Context

fastCMS Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability exists in fastCMS versions prior to 0.1.6. This issue allows local attackers to execute arbitrary code by uploading a malicious plugin. The vulnerability is introduced through the PluginController.java component, which does not properly validate plugin uploads, enabling the execution of crafted code on the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where fastCMS is running.

Reproduction

To reproduce this vulnerability, first build the fastCMS application and set up the necessary environment, including MySQL 5.7. After starting the application, create a malicious plugin that includes code to execute (such as opening the calculator application) and package it as a JAR file. Upload this JAR file through the fastCMS plugin management interface. Once the plugin is activated, the embedded code will be executed, demonstrating the remote code execution vulnerability.

Added: Feb 26, 2026, 6:41 PM

Updated: Feb 26, 2026, 8:38 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

10.0

exploitability

6.8

remediation

0.0

relevance

3.2

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

10.0

exploitability

6.8

remediation

0.0

relevance

3.2

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

fastCMS Remote Code Execution Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

fastCMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating