CVE-2009-20006
osCommerce <2.2 RC2a - RCE
Title source: llmDescription
osCommerce versions up to and including 2.2 RC2a contain a vulnerability in its administrative file manager utility (admin/file_manager.php). The interface allows file uploads and edits without sufficient input validation or access control. An unauthenticated attacker can craft a POST request to upload a .php file containing arbitrary code, which is then executed by the server.
Exploits (3)
exploitdb
WORKING POC
VERIFIED
by Metasploit · rubywebappsphp
https://www.exploit-db.com/exploits/16899
metasploit
WORKING POC
EXCELLENT
by egypt · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/oscommerce_filemanager.rb
References (5)
Scores
EPSS
0.7385
EPSS Percentile
98.8%
Classification
CWE
CWE-434
Status
draft
Timeline
Published
Sep 16, 2025
Tracked Since
Feb 18, 2026