CVE-2020-26670

HIGH

BigTree CMS <4.4.10 - Command Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-26670. PoCs published by SunCSR.

AI-analyzed exploit summary The exploit demonstrates authenticated RCE in BigTree CMS 4.4.10 via crafted settings creation, leveraging the 'parser' parameter to execute system commands. It also includes SQLi and XSS PoCs, all requiring developer-level authentication.

Description

A vulnerability has been discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to execute arbitrary commands through a crafted request sent to the server via the 'Create a New Setting' function.

Exploits (1)

exploitdb WORKING POC

by SunCSR · textwebappsphp

https://www.exploit-db.com/exploits/48831

View Code ZIP pw:eip

The exploit demonstrates authenticated RCE in BigTree CMS 4.4.10 via crafted settings creation, leveraging the 'parser' parameter to execute system commands. It also includes SQLi and XSS PoCs, all requiring developer-level authentication.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: BigTree CMS 4.4.10

Auth required

Prerequisites: Authenticated developer account · Access to admin panel

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/48831

Scores

CVSS v3 8.8

EPSS 0.0182

EPSS Percentile 75.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

bigtreecms/bigtree_cms < 4.4.10

Published Jun 01, 2021

Tracked Since Feb 18, 2026