Unauthenticated RCE disclosed in Pegasus CMS extra_fields plugin
TL;DR — Pegasus CMS’s extra_fields.php plugin can be abused for unauthenticated remote code execution by sending a crafted POST to submit.php that triggers unsafe eval behavior.
What happened
Pegasus CMS is a PHP-based content management system. A newly published CVE record (CVE-2019-25687) describes a Critical unauthenticated remote code execution issue in Pegasus CMS 1.0, attributed to unsafe eval functionality in the extra_fields.php plugin.
Per the CVE description, an attacker can send POST requests to the submit.php endpoint with malicious PHP code in the action parameter, resulting in arbitrary command execution and an interactive shell. The CVE references a public Exploit-DB entry, meaning exploitation can be straightforward for attackers targeting exposed installs.
Although the underlying public disclosure is dated (the CVE record lists datePublic as 2019-03-14), the CVE publication on 2026-04-05 matters operationally because it drives SCA/SBOM feeds, vulnerability management workflows, and “newly detected” alerts for legacy CMS deployments that may have been missed.
Who is impacted
- Deployments running
Pegasus CMSversion1.0. - Internet-exposed or otherwise untrusted-network-reachable Pegasus CMS instances.
| Item | Source value |
|---|---|
| Affected versions | 1.0 |
| Patched versions | Not stated in the CVE record |
| Attack precondition | Unauthenticated (PR:N) |
| Severity | CVSS v4.0 9.3 (Critical); CVSS v3.1 9.8 (Critical) |
| Public exploit reference | Yes (ExploitDB-46542) |
What to do now
- Follow vendor remediation guidance (the CVE record does not list a fixed version; validate your deployment’s upstream patch status before assuming you are covered).
- Inventory your environment for
Pegasus CMS(web roots, containers, SBOM/SCA results) and identify any instances matching the affected product/version. - Reduce exposure until you can confirm remediation:
- Remove public access to the CMS (network ACLs, VPN-only admin access) or place it behind an authenticated gateway.
- Add monitoring/detections for suspicious POST traffic to
submit.php, especially requests that appear to manipulate anactionparameter.
- If compromise is suspected, treat as an RCE-class incident:
- Preserve webserver/PHP-FPM logs and review for webshell creation or unexpected process execution.
- Rotate credentials and secrets reachable by the CMS runtime (database passwords, SMTP creds, API keys).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.