CVE-2020-5515
HIGHGila CMS 1.11.8 - SQL Injection via Admin SQL Query Parameter
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2020-5515. PoCs published by BillyV4.
AI-analyzed exploit summary This exploit leverages SQL injection in Gila CMS 1.11.8 to write a PHP webshell to a known path, enabling remote command execution. The payload is a hex-encoded PHP shell that executes system commands via the 'cmd' parameter.
Description
Gila CMS 1.11.8 allows /admin/sql?query= SQL Injection.
Exploits (1)
exploitdb
WORKING POC
by BillyV4 · pythonwebappsphp
https://www.exploit-db.com/exploits/48590
This exploit leverages SQL injection in Gila CMS 1.11.8 to write a PHP webshell to a known path, enabling remote command execution. The payload is a hex-encoded PHP shell that executes system commands via the 'cmd' parameter.
Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target:
Gila CMS 1.11.8
Auth required
Prerequisites:
Valid session cookies (PHPSESSID, GSESSIONID) · Access to the admin/sql endpoint · Write permissions to the target web directory
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://infosecdb.wordpress.com/2020/01/05/gilacms-1-11-8-admin-sqlquery-sql-injection/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/158114/Gila-CMS-1.11.8-SQL-Injection.html
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/158140/Gila-CMS-1.1.18.1-SQL-Injection-Shell-Upload.html
Scores
CVSS v3
7.2
EPSS
0.2655
EPSS Percentile
97.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (1)
gilacms/gila_cms
1.11.8
Published
Jan 06, 2020
Tracked Since
Feb 18, 2026