CVE-2020-26668

HIGH

BigTree CMS <4.4.10 - SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-26668. PoCs published by SunCSR.

AI-analyzed exploit summary The exploit demonstrates authenticated RCE in BigTree CMS 4.4.10 via crafted settings creation, leveraging the 'parser' parameter to execute system commands. It also includes SQLi and XSS PoCs, all requiring developer-level authentication.

Description

A SQL injection vulnerability was discovered in /core/feeds/custom.php in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to inject a malicious SQL query to the applications via the 'Create New Feed' function.

Exploits (1)

exploitdb WORKING POC

by SunCSR · textwebappsphp

https://www.exploit-db.com/exploits/48831

View Code ZIP pw:eip

The exploit demonstrates authenticated RCE in BigTree CMS 4.4.10 via crafted settings creation, leveraging the 'parser' parameter to execute system commands. It also includes SQLi and XSS PoCs, all requiring developer-level authentication.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: BigTree CMS 4.4.10

Auth required

Prerequisites: Authenticated developer account · Access to admin panel

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/48831

Scores

CVSS v3 8.8

EPSS 0.0140

EPSS Percentile 68.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

bigtreecms/bigtree_cms < 4.4.10

Published Jun 01, 2021

Tracked Since Feb 18, 2026