A critical remote code execution (RCE) vulnerability, CVE-2019-25687, has been formally cataloged, affecting Pegasus CMS version 1.0.
Although the underlying exploit has existed for years, with a proof-of-concept published on Exploit-DB as far back as 2019, the CVE record was formally assigned and published on April 5, 2026, bringing renewed attention to an unpatched attack surface that could still affect legacy deployments of this content management system.
With a CVSS v3.1 base score of 9.8 (CRITICAL) and a CVSS v4.0 score of 9.3 (CRITICAL), this vulnerability represents one of the most dangerous classes of web application flaws: a pre-authentication code execution path that requires no special privileges, user interaction, or complex conditions to exploit.
Pegasus CMS 1.0 Now Exposed
Pegasus CMS is a PHP-based content management system developed by Wisdom, a creative and marketing agency based in Wollongong, Australia. The platform was designed to give businesses straightforward control over website content.
Like many smaller CMS platforms, it has not received the same level of ongoing security scrutiny as enterprise-grade alternatives, leaving older deployments potentially exposed to vulnerabilities like the one now formally documented under CVE-2019-25687.
At the core of CVE-2019-25687 is a dangerously unsafe implementation of PHP’s eval() function within the extra_fields.php plugin. The eval() function executes a string as PHP code at runtime, a powerful but inherently risky capability that, when fed with unsanitized user input, becomes a direct gateway for arbitrary command execution.
The vulnerable code path processes user-supplied data passed through a POST request to the submit.php endpoint. Specifically, the action parameter accepts input that is passed directly into eval() it without any input validation, sanitization, or output encoding.
An attacker can craft a malicious POST request embedding arbitrary PHP code in this parameter, which the server then executes with the privileges of the web server process.
A simplified attack sequence looks like this:
- The attacker identifies a publicly accessible Pegasus CMS 1.0 installation
- A crafted HTTP POST request is sent to
submit.phpwith a malicious payload in theactionparameter - The server-side
extra_fields.phpThe plugin processes this input and passes it toeval() - The injected PHP code executes on the server, allowing the attacker to run system commands
- The attacker establishes an interactive reverse shell, gaining persistent access to the hosting environment
This exploit requires no authentication, making it accessible to any attacker who can reach the web server. The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H confirms that the attack is fully remote, low-complexity, and requires neither privileges nor user interaction.
CWE Classification and Technical Context
Classified this vulnerability under CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal).
While the primary exploitation vector centers on unsafe code evaluation, the path traversal classification indicates that the vulnerability may also allow attackers to access or manipulate files outside the intended directory structure, compounding the overall risk beyond just arbitrary code execution.
The dual CVSS scoring (both v3.1 and v4.0 returning Critical ratings) reflects how the scoring framework aligns. Under CVSS v3.1, the exploitability sub-score is 3.9, and the impact sub-score is 5.9, indicating a combination of trivial exploitability and severe, wide-ranging impact across confidentiality, integrity, and availability.
Exploit Availability and Real-World Risk
A working proof-of-concept exploit for this vulnerability has been publicly available on Exploit-DB (EDB-ID: 46542) since 2019, under the PHP web application exploits category. This means that any threat actor, including less technically sophisticated ones, can leverage ready-made exploit code to compromise vulnerable systems with minimal effort.
The formal CVE assignment in April 2026 under alternative identifiers EUVD-2019-20107 and GHSA-2284-8cw5-5697 suggests that this vulnerability is now receiving standardized tracking across multiple vulnerability databases, including ENISA’s European Vulnerability Database (EUVD) and GitHub Advisory Database (GHSA).
This cross-database visibility increases the likelihood that automated scanning tools will begin flagging live instances of Pegasus CMS 1.0.
Impact Assessment
A successful exploit of CVE-2019-25687 gives an attacker complete control over the web server process. From that initial foothold, the threat actor can:
- Exfiltrate sensitive data, including configuration files, database credentials, and user records
- Pivot to other internal systems on the same network segment
- Deploy web shells, ransomware, or cryptominers
- Deface or destroy the hosted website content
- Abuse the compromised server for phishing campaigns or as a command-and-control relay
For small and medium-sized businesses relying on Pegasus CMS for their web presence, the potential for business disruption is severe, particularly if the CMS server shares infrastructure with other critical services.
Recommended Mitigation
No official patch has been publicly announced for Pegasus CMS 1.0. Organizations still running this version should take the following steps immediately:
- Decommission or migrate away from Pegasus CMS 1.0 to a supported, actively maintained CMS
- Restrict public access to the
submit.phpandextra_fields.phpendpoints via web server configuration or a WAF rule - Conduct a forensic audit of server logs to check for historical exploitation attempts targeting the
actionparameter - Isolate the server from sensitive internal network resources to limit the potential for lateral movement.
- Monitor threat feeds referencing CVE-2019-25687 for signs of active exploitation campaigns.
Frequently Asked Questions
Q1: Does CVE-2019-25687 require an attacker to have an existing account on Pegasus CMS?
No. This is a pre-authentication vulnerability, meaning attackers can exploit it without any valid credentials. The malicious POST request can be sent by any unauthenticated user who can reach the submit.php endpoint over the internet, making exposure on publicly accessible servers extremely high-risk.
Q2: Why was CVE-2019-25687 only formally assigned in April 2026 if the exploit dates to 2019?
This is not uncommon in the CVE ecosystem. Many vulnerabilities affecting niche or smaller software projects go unassigned for years because formal disclosure requires a CVE Numbering Authority (CNA) to process the request. Acting as a CNA, formalized the record in April 2026 based on the existing Exploit-DB entry, ensuring the vulnerability now has standardized tracking across global vulnerability databases.
Site: thecybrdef.com
Reference:
| https://www.wisdom.com.au/web/pegasus-cms |
| https://www.exploit-db.com/exploits/46542 |
| https://www.vulncheck.com/advisories/pegasus-cms-remote-code-execution-via-extra-fields-php |
About the Author
