Which SIEM platforms have a CVE-2026-48030 detection rule?

df00tech provides CVE-2026-48030 (Pheditor OS Command Injection via Unsanitized 'dir' Parameter (CVE-2026-48030)) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the CVE-2026-48030 detection?

The CVE-2026-48030 detection is rated critical severity with high confidence.

What are common false positives for CVE-2026-48030?

Common false positives for CVE-2026-48030 include: Legitimate Pheditor usage by developers running terminal commands against known-safe directories; Automated CI/CD pipelines that invoke PHP CLI tools with directory parameters; Security scanners or vulnerability assessment tools probing the endpoint.

CVE-2026-48030

Pheditor OS Command Injection via Unsanitized 'dir' Parameter (CVE-2026-48030)

Q: What data sources are required to detect Pheditor OS Command Injection via Unsanitized 'dir' Parameter (CVE-2026-48030) (CVE-2026-48030)?

Detecting Pheditor OS Command Injection via Unsanitized 'dir' Parameter (CVE-2026-48030) requires the following data sources: Microsoft Defender for Endpoint, Microsoft Sentinel, DeviceProcessEvents, DeviceNetworkEvents.

Execution Persistence Privilege Escalation Lateral Movement Last updated: June 21, 2026

Detects exploitation of CVE-2026-48030, a critical OS command injection vulnerability in Pheditor versions 2.0.1 through 2.0.3. The terminal handler accepts an unsanitized 'dir' parameter that is passed directly to a shell command, allowing unauthenticated or authenticated attackers to execute arbitrary OS commands on the hosting server. A public proof-of-concept exists, making active exploitation likely.

Vulnerability Intelligence

Public PoC

CVE

CVE-2026-48030↗ NVD

Affected Software

Vendor: composer
Product: pheditor/pheditor
Versions: >= 2.0.1, <= 2.0.3

Weakness (CWE)

CWE-78

Timeline

Disclosed: June 9, 2026

References & Proof of Concept

CVSS

9.9

Critical (9.0–10)

Read the write-up →

What is CVE-2026-48030 Pheditor OS Command Injection via Unsanitized 'dir' Parameter (CVE-2026-48030)?

Pheditor OS Command Injection via Unsanitized 'dir' Parameter (CVE-2026-48030) (CVE-2026-48030) maps to the Execution and Persistence and Privilege Escalation and Lateral Movement tactics — the adversary is trying to run malicious code in MITRE ATT&CK.

This page provides production-ready detection logic for Pheditor OS Command Injection via Unsanitized 'dir' Parameter (CVE-2026-48030), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel, DeviceProcessEvents, DeviceNetworkEvents. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Execution Persistence Privilege Escalation Lateral Movement

Microsoft Sentinel / Defender

kusto

union DeviceProcessEvents, DeviceNetworkEvents
| where TimeGenerated >= ago(24h)
| where InitiatingProcessFileName in~ ("php", "php-fpm", "php-cgi", "httpd", "apache2", "nginx")
| where (ProcessCommandLine contains "pheditor" or InitiatingProcessCommandLine contains "pheditor")
    or (ProcessCommandLine matches regex @"(?i)(dir=|%26|%7C|%3B)[\s]*([a-z]+\s+\/|whoami|id|cat\s+\/etc|curl|wget|bash|sh\s+-c|powershell)")
| extend SuspiciousTokens = extract_all(@"(?i)(whoami|id\b|uname|cat\s+/etc/passwd|curl\s+http|wget\s+http|bash\s+-[ic]|sh\s+-c|python[23]?\s+-c|perl\s+-e|nc\s+-|ncat\s+|chmod\s+[0-9]+|/tmp/[a-zA-Z0-9]+)", ProcessCommandLine)
| where array_length(SuspiciousTokens) > 0 or array_length(extract_all(@"(?i)(whoami|id\b|uname|cat\s+/etc/passwd|curl\s+http|wget\s+http|bash\s+-[ic]|sh\s+-c|python[23]?\s+-c|perl\s+-e|nc\s+-|ncat\s+|chmod\s+[0-9]+|/tmp/[a-zA-Z0-9]+)", InitiatingProcessCommandLine)) > 0
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessFileName, RemoteIP, RemotePort, ActionType
| extend AlertDetail = "Potential CVE-2026-48030 exploitation: OS command injection via Pheditor terminal handler dir parameter"

Detects process execution chains originating from PHP/web server processes that match patterns consistent with OS command injection exploitation of the Pheditor terminal handler. Looks for suspicious child processes spawned by PHP with command-line tokens associated with post-exploitation activity.

critical severity high confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel DeviceProcessEvents DeviceNetworkEvents

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Legitimate Pheditor usage by developers running terminal commands against known-safe directories
Automated CI/CD pipelines that invoke PHP CLI tools with directory parameters
Security scanners or vulnerability assessment tools probing the endpoint
Developers testing file manager functionality in staging environments

Splunk

spl

index=web OR index=os sourcetype IN ("access_combined", "apache_access", "nginx:access", "iis", "linux_audit", "syslog", "auditd")
| eval is_pheditor_request = if(match(uri_path, "(?i)pheditor") OR match(uri_query, "(?i)(dir=|terminal)"), 1, 0)
| eval has_injection_chars = if(match(uri_query, "(?i)(%26|%7C|%3B|%60|\$\(|&&|\|\||;)") OR match(uri_query, "(?i)(whoami|id%20|uname|passwd|wget|curl|bash|sh%20-c|python.*-c|chmod|/tmp/)"), 1, 0)
| where is_pheditor_request=1 OR has_injection_chars=1
| eval combined_indicator = if(is_pheditor_request=1 AND has_injection_chars=1, "HIGH_CONFIDENCE", if(is_pheditor_request=1 OR has_injection_chars=1, "MEDIUM_CONFIDENCE", "LOW_CONFIDENCE"))
| join type=left clientip [
    search index=os sourcetype IN ("linux_audit", "auditd", "syslog") "execve"
    | rex field=_raw "execve\(\"(?P<executed_cmd>[^\"]+)\""
    | eval suspicious_cmd = if(match(executed_cmd, "(?i)(whoami|id$|uname|cat\s+/etc|wget\s+http|curl\s+http|bash\s+-[ic]|sh\s+-c|nc\s+-|ncat|chmod)"), 1, 0)
    | where suspicious_cmd=1
    | stats count as cmd_count, values(executed_cmd) as executed_commands by src_ip
    | rename src_ip as clientip
]
| where combined_indicator="HIGH_CONFIDENCE" OR (combined_indicator="MEDIUM_CONFIDENCE" AND cmd_count > 0)
| table _time, clientip, uri_path, uri_query, status, combined_indicator, executed_commands, cmd_count
| eval alert_name="CVE-2026-48030 Pheditor Command Injection Suspected"

Correlates web access logs for Pheditor terminal handler requests containing injection metacharacters with OS-level audit events showing suspicious process execution from the web server account, providing high-fidelity exploitation detection.

critical severity high confidence

Data Sources

Web server access logs Linux auditd Syslog

Required Sourcetypes

access_combined apache_access nginx:access linux_audit auditd

False Positives

Developers legitimately using Pheditor's terminal to navigate directories with special characters in path names
URL-encoded directory paths that superficially resemble injection payloads
Security testing tools scanning the application surface area
Automated backup or monitoring scripts that invoke the Pheditor API programmatically

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  URL,
  "username",
  QIDNAME(qid) AS event_name,
  logsourcename(logsourceid) AS log_source,
  CATEGORYNAME(category) AS category_name
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Apache HTTP Server', 'NGINX', 'PHP', 'Linux OS')
  AND devicetime > NOW() - 1 HOURS
  AND (
    (
      URL ILIKE '%pheditor%'
      AND (
        URL ILIKE '%dir=%26%'
        OR URL ILIKE '%dir=%7C%'
        OR URL ILIKE '%dir=%3B%'
        OR URL ILIKE '%dir=%60%'
        OR URL ILIKE '%whoami%'
        OR URL ILIKE '%wget%'
        OR URL ILIKE '%curl%'
        OR URL ILIKE '%bash%'
        OR URL ILIKE '%/tmp/%'
        OR URL ILIKE '%sh%20-c%'
      )
    )
    OR (
      "Process Name" ILIKE '%sh%'
      AND "Parent Process Name" ILIKE '%php%'
      AND (
        "Command" ILIKE '%whoami%'
        OR "Command" ILIKE '%id %'
        OR "Command" ILIKE '%uname%'
        OR "Command" ILIKE '%cat /etc/%'
        OR "Command" ILIKE '%wget %'
        OR "Command" ILIKE '%curl %'
        OR "Command" ILIKE '%nc %'
        OR "Command" ILIKE '%chmod %'
      )
    )
  )
ORDER BY devicetime DESC

QRadar AQL query detecting Pheditor terminal handler exploitation by looking for HTTP requests with injection payloads in the dir parameter and correlating with process execution events showing shell commands running under PHP parent processes.

critical severity medium confidence

Data Sources

QRadar SIEM Apache/NGINX log sources Linux OS log sources

Required Tables

events

False Positives

Legitimate developers using Pheditor terminal with URL-encoded directory paths containing special characters
PHP applications that spawn shell processes for legitimate operational purposes
Security scanners generating request patterns that match injection signatures
Internal penetration testing activities against the web application

Google Chronicle / SecOps

yaral

rule cve_2026_48030_pheditor_command_injection {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2026-48030 OS command injection attempts via Pheditor terminal handler dir parameter"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://github.com/advisories/GHSA-jvc5-6g7q-c843"
    cve = "CVE-2026-48030"

  events:
    (
      $http.metadata.event_type = "NETWORK_HTTP"
      AND (
        re.regex($http.target.url, `(?i)pheditor`) OR
        re.regex($http.target.url, `(?i)[?&]dir=`)
      )
      AND (
        re.regex($http.target.url, `(?i)(%26|%7C|%3B|%60|\$\()`) OR
        re.regex($http.target.url, `(?i)(whoami|wget|curl|bash|sh\+-c|python.*-c|nc\s+|chmod|/tmp/)`) OR
        re.regex($http.target.url, `(?i)(%2F|dir=.*&&|dir=.*\|\|)`)
      )
    ) OR (
      $proc.metadata.event_type = "PROCESS_LAUNCH"
      AND re.regex($proc.principal.process.file.full_path, `(?i)(apache2|httpd|nginx|php-fpm|php-cgi)`)
      AND re.regex($proc.target.process.file.full_path, `(?i)^/(bin|usr/bin)/(sh|bash|dash|id|whoami|wget|curl|nc|ncat|python3?|perl)$`)
    )

  condition:
    $http or $proc
}

Chronicle YARA-L 2.0 rule detecting CVE-2026-48030 exploitation through two signals: HTTP requests to Pheditor endpoints with injection metacharacters in the dir parameter, and process launch events showing shell/utility binaries spawned from web server parent processes.

critical severity high confidence

Data Sources

Google Chronicle SIEM Web proxy logs EDR process telemetry

Required Tables

UDM Events - NETWORK_HTTP UDM Events - PROCESS_LAUNCH

False Positives

Legitimate development activity with Pheditor where developers run terminal commands
Automated deployment scripts invoking PHP applications that spawn subprocess calls
URL-encoded path navigation that incidentally matches injection patterns
Security scanning tools performing web application assessments

CrowdStrike LogScale (CQL)

cql

// CVE-2026-48030: Pheditor OS Command Injection Detection
#event_simpleName IN (ProcessRollup2, SyntheticProcessRollup2, NetworkConnectIP4)
| ImageFileName CONTAINS ANYCASE ("apache2", "httpd", "nginx", "php-fpm", "php", "php-cgi")
| CommandLine CONTAINS ANYCASE ("pheditor", "terminal")
| CommandLine MATCHES REGEX "(?i)(dir=.*(%26|%7C|%3B|%60)|dir=.*(whoami|wget|curl|bash|sh -c|python -c|perl -e|nc \\d|chmod|/tmp/|/bin/sh))"
| let injection_signal = true()
| join
  [
    #event_simpleName IN (ProcessRollup2, SyntheticProcessRollup2)
    | ParentImageFileName CONTAINS ANYCASE ("apache2", "httpd", "nginx", "php-fpm", "php", "php-cgi")
    | ImageFileName MATCHES REGEX "(?i)^/(bin|usr/bin|usr/local/bin)/(sh|bash|dash|ash|id|whoami|uname|wget|curl|nc|ncat|python3?|perl|ruby|chmod)$"
    | CommandLine NOT CONTAINS "-mime"
    | let child_shell = true()
  ] ON aid
| where injection_signal == true OR child_shell == true
| select timestamp, aid, ComputerName, UserName, ImageFileName, CommandLine, ParentImageFileName, ParentCommandLine, LocalAddressIP4, RemoteAddressIP4, RemotePort
| sort timestamp desc

CrowdStrike Falcon query correlating web server process command lines containing Pheditor terminal handler patterns with injection metacharacters, joined against child process events showing shell or utility binaries spawned from web server parent processes on the same agent.

critical severity high confidence

Data Sources

CrowdStrike Falcon EDR Falcon ProcessRollup2 events Falcon NetworkConnectIP4 events

Required Tables

ProcessRollup2 SyntheticProcessRollup2 NetworkConnectIP4

False Positives

Authorized penetration testing or red team activities against Pheditor instances
Developers using Pheditor terminal features to run legitimate maintenance commands
Web application scanning tools that probe terminal endpoints with encoded payloads
Legitimate PHP applications that spawn controlled subprocesses as part of their workflow

Sigma rule & cross-platform mapping

The detection logic for Pheditor OS Command Injection via Unsanitized 'dir' Parameter (CVE-2026-48030) (CVE-2026-48030) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-48030 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-48030

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-06-21 Research depth: standard

References (3)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Basic whoami Injection via dir Parameter
Expected signal: Web server access log entry showing request URI containing '%3B' and 'whoami'. Auditd EXECVE record for /usr/bin/whoami with parent process php-fpm or apache2 and uid matching the web server service account.
Test 2Out-of-Band Data Exfiltration via DNS Lookup
Expected signal: DNS query from web server IP to attacker-controlled domain visible in DNS server logs and network flow data. Auditd record for nslookup or dig process spawned under web server account. NetworkConnect events from DeviceNetworkEvents to the external DNS resolver.
Test 3Web Shell Implantation via Piped Command Chain
Expected signal: Auditd OPENAT/CREATE syscall for /var/www/html/shell.php attributed to web server service account. File creation event in EDR telemetry (DeviceFileEvents or equivalent) with InitiatingProcessFileName=php/apache2 and FileName=shell.php. Web server access log entry with %7C in the dir parameter.
Test 4Reverse Shell via Bash TCP Redirect
Expected signal: Auditd EXECVE for bash with arguments '-i' and '/dev/tcp/ATTACKER_LAB_IP/4444' under web server parent process. Outbound TCP connection from web server to attacker lab IP on port 4444 in network flow logs. DeviceNetworkEvents entry from the EDR showing the connection establishment.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2026-48030 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0002Execution TA0003Persistence TA0004Privilege Escalation TA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing Application T1059.004Unix Shell T1505.003Web Shell T1083File and Directory Discovery

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2026-48030 Pheditor OS Command Injection via Unsanitized 'dir' Parameter (CVE-2026-48030)?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2026-48030

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Execution

Popular Detections

Get new detections in your inbox