CVE-2021-21014

CRITICAL

Magento <2.4.1-2.3.6 - Authenticated RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-21014. PoCs published by HoangKien1020.

AI-analyzed exploit summary The repository lacks actual exploit code and only provides a brief description of CVE-2021-21014, a file upload restriction bypass in Magento. It references external links but does not include technical details or functional PoC code.

Description

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

Exploits (1)

nomisec SUSPICIOUS 4 stars
by HoangKien1020 · poc
https://github.com/HoangKien1020/CVE-2021-21014

The repository lacks actual exploit code and only provides a brief description of CVE-2021-21014, a file upload restriction bypass in Magento. It references external links but does not include technical details or functional PoC code.

Classification
Suspicious 90%
Attack Type
Rce
Complexity
Theoretical
Reliability
Theoretical
Target: Magento <= 2.4.1
Auth required
Prerequisites: Admin account with Media gallery or Products permission · Apache 2 web server
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 9.1
EPSS 0.0037
EPSS Percentile 59.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (6)
magento/community-edition 0 - 2.3.6-p1Packagist
magento/magento 2.3.6 (2 CPE variants)
magento/magento 2.4.0 (4 CPE variants)
magento/magento 2.4.1 (2 CPE variants)
magento/magento < 2.3.6 (2 CPE variants)
magento/project-community-edition 0Packagist
Published Feb 11, 2021
Tracked Since Feb 18, 2026