CVE-2021-28931

HIGH

Fork-cms Fork Cms < 5.9.3 - Unrestricted File Upload

Title source: rule

Description

Arbitrary file upload vulnerability in Fork CMS 5.9.2 allows attackers to create or replace arbitrary files in the /themes directory via a crafted zip file uploaded to the Themes panel.

References (2)

Core 2

Core References

Release Notes, Third Party Advisory x_refsource_misc

https://github.com/forkcms/forkcms/releases/tag/5.9.2

Third Party Advisory x_refsource_misc

https://github.com/bousalman/ForkCMS-arbitrary-upload/blob/main/README.md

View Writeup ZIP pw:eip

Scores

CVSS v3 8.8

EPSS 0.0042

EPSS Percentile 62.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (2)

fork-cms/fork_cms 5.9.2

forkcms/forkcms 0 - 5.9.3Packagist

Published Jul 07, 2021

Tracked Since Feb 18, 2026