CVE-2021-47939
published 2026-05-10CVE-2021-47939: Evolution CMS 3.1.6 contains a remote code execution vulnerability that allows authenticated users with module creation permissions to execute arbitrary system…
PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.64%
46.0th percentile
Evolution CMS 3.1.6 contains a remote code execution vulnerability that allows authenticated users with module creation permissions to execute arbitrary system commands by injecting PHP code into module parameters. Attackers can send POST requests to /manager/index.php with malicious PHP code in the 'post' parameter to create modules that execute arbitrary commands when invoked.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| evo | evolution_cms | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Evolution CMS 3.1.6 /manager/index.php post code injection (Exploit 50296 / EDB-50296)
vuldb·2026-05-10·CVSS 8.7
CVE-2021-47939 [HIGH] Evolution CMS 3.1.6 /manager/index.php post code injection (Exploit 50296 / EDB-50296)
A vulnerability was found in Evolution CMS 3.1.6. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /manager/index.php. Executing a manipulation of the argument post can lead to code injection.
The identification of this vulnerability is CVE-2021-47939. The attack may be launched remotely. Furthermore, there is an exploit available.
GHSA
GHSA-w3hh-x22g-mhjw: Evolution CMS 3
ghsa_unreviewed·2026-05-10
CVE-2021-47939 [HIGH] CWE-94 GHSA-w3hh-x22g-mhjw: Evolution CMS 3
Evolution CMS 3.1.6 contains a remote code execution vulnerability that allows authenticated users with module creation permissions to execute arbitrary system commands by injecting PHP code into module parameters. Attackers can send POST requests to /manager/index.php with malicious PHP code in the 'post' parameter to create modules that execute arbitrary commands when invoked.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-10
Published