FastCMS PluginController Code Execution Vulnerability

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.8

FastCMS PluginController Code Execution Vulnerability

CVE-2026-26682

Summary

A flaw in the PluginController of FastCMS allows a local attacker to run malicious code on the server, potentially leading to unauthorized access or data tampering. This affects versions of FastCMS prior to 0.1.6. Update to version 0.1.6 or later to fix the issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
xjd2020	fastcms	<= 0.1.6	–

Original title

An issue in fastCMS before v.0.1.6 allows a local attacker to execute arbitrary code via the PluginController.java component

Original description

An issue in fastCMS before v.0.1.6 allows a local attacker to execute arbitrary code via the PluginController.java component

nvd CVSS3.1 7.8

Vulnerability type

CWE-94 Code Injection

https://gist.github.com/sorzs/e3913b814e2e5548aa66de6c25b0510a Third Party Advisory
https://github.com/sorzs/test/tree/main/fastcms-rce Exploit Third Party Advisory

Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026