CVE-2021-26599
CRITICAL NUCLEIImpressCMS < 1.4.3 - SQL Injection via findusers.php Groups Parameter
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2021-26599. PoCs published by Egidio Romano. A Nuclei detection template is also available.
AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in ImpressCMS <= 1.4.2, which is leveraged to achieve remote code execution by creating an admin user and injecting malicious PHP code into an autotask.
Description
ImpressCMS before 1.4.3 allows include/findusers.php groups SQL Injection.
Exploits (1)
exploitdb
WORKING POC
by Egidio Romano · phpwebappsphp
https://www.exploit-db.com/exploits/50839
This exploit demonstrates a SQL injection vulnerability in ImpressCMS <= 1.4.2, which is leveraged to achieve remote code execution by creating an admin user and injecting malicious PHP code into an autotask.
Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target:
ImpressCMS <= 1.4.2
No auth needed
Prerequisites:
Target must be running ImpressCMS <= 1.4.2 · cURL extension must be enabled in PHP
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026
Full analysis →
Nuclei Templates (1)
ImpressCMS < 1.4.3 - SQL Injection
HIGHby ritikchaddha
Shodan:
http.html:"ImpressCMS"
FOFA:
body="ImpressCMS"
References (4)
Core 4
Core References
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1081145
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/166404/ImpressCMS-1.4.2-SQL-Injection.html
Exploit, Mailing List, Third Party Advisory x_refsource_misc
http://seclists.org/fulldisclosure/2022/Mar/46
Exploit, Third Party Advisory x_refsource_misc
http://karmainsecurity.com/KIS-2022-04
Scores
CVSS v3
9.8
EPSS
0.1942
EPSS Percentile
97.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (2)
impresscms/impresscms
< 1.4.4
impresscms/impresscms
0 - 1.4.3Packagist
Published
Mar 28, 2022
Tracked Since
Feb 18, 2026