CVE-2021-30149
CRITICALComposr 10.0.36 - Unauthenticated Arbitrary File Upload
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2021-30149. PoCs published by Orion Hridoy.
AI-analyzed exploit summary This is a writeup describing a Remote Code Execution (RCE) vulnerability in Composr CMS 10.0.36. The vulnerability allows an attacker to bypass file extension restrictions in the 'Upload In Bulk' feature to upload malicious PHP files.
Description
Composr 10.0.36 allows upload and execution of PHP files.
Exploits (1)
exploitdb
WRITEUP
by Orion Hridoy · textwebappsphp
https://www.exploit-db.com/exploits/49753
This is a writeup describing a Remote Code Execution (RCE) vulnerability in Composr CMS 10.0.36. The vulnerability allows an attacker to bypass file extension restrictions in the 'Upload In Bulk' feature to upload malicious PHP files.
Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target:
Composr CMS 10.0.36
Auth required
Prerequisites:
Access to the Composr CMS galleries upload functionality · Ability to intercept and modify HTTP requests
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_misc
https://gitlab.com/composr-foundation/composr/commit/a71c44e03
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/162128/Composr-10.0.36-Shell-Upload.html
Scores
CVSS v3
9.8
EPSS
0.1006
EPSS Percentile
95.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (1)
ocproducts/composr
10.0.36
Published
Apr 06, 2021
Tracked Since
Feb 18, 2026