CVE-2019-9041

HIGH NUCLEI

ZZZCMS zzzphp 1.6.1 - Remote Code Execution via Template Parser If Label

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-9041. PoCs published by Yang Chenglong. A Nuclei detection template is also available.

AI-analyzed exploit summary The exploit describes a dynamic code evaluation vulnerability in zzzphp CMS 1.6.1 due to insufficient filtering in the parserIfLabel() function, allowing attackers to inject PHP code into template files. The writeup provides a technical explanation and a proof-of-concept payload but lacks full exploit code.

Description

An issue was discovered in ZZZCMS zzzphp V1.6.1. In the inc/zzz_template.php file, the parserIfLabel() function's filtering is not strict, resulting in PHP code execution, as demonstrated by the if:assert substring.

Exploits (1)

exploitdb WRITEUP
by Yang Chenglong · textwebappsphp
https://www.exploit-db.com/exploits/46454

The exploit describes a dynamic code evaluation vulnerability in zzzphp CMS 1.6.1 due to insufficient filtering in the parserIfLabel() function, allowing attackers to inject PHP code into template files. The writeup provides a technical explanation and a proof-of-concept payload but lacks full exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: zzzphp CMS 1.6.1
Auth required
Prerequisites: Admin panel access · Ability to edit template files
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

ZZZCMS 1.6.1 - Remote Code Execution
HIGHby pikpikcu

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46454/

Scores

CVSS v3 7.2
EPSS 0.3193
EPSS Percentile 98.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-917
Status published
Products (1)
zzzcms/zzzphp 1.6.1
Published Feb 23, 2019
Tracked Since Feb 18, 2026