CVE-2018-19127

CRITICAL EXPLOITED NUCLEI

Phpcms - Code Injection

Title source: rule

Description

A code injection vulnerability in /type.php in PHPCMS 2008 allows attackers to write arbitrary content to a website cache file with a controllable filename, leading to arbitrary code execution. The PHP code is sent via the template parameter, and is written to a data/cache_template/*.tpl.php file along with a "<?php function " substring.

Exploits (1)

nomisec WRITEUP 41 stars

by ab1gale · poc

https://github.com/ab1gale/phpcms-2008-CVE-2018-19127

View Code ZIP pw:eip

Nuclei Templates (1)

PHPCMS 2008 - Remote Code Execution via Template Injection

CRITICALVERIFIEDby tomaquet18

Shodan: http.html:"Powered by phpcms"

FOFA: body="Powered by phpcms"

References (1)

[Third Party Advisory] https://github.com/ab1gale/phpcms-2008-CVE-2018-19127

Scores

CVSS v3 9.8

EPSS 0.8485

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2019-04-04

CWE

CWE-94

Status published

Products (1)

phpcms/phpcms 2008

Published Nov 09, 2018

Tracked Since Feb 18, 2026