CVE-2021-41646

CRITICAL

Online Reviewer System 1.0 - Remote Code Execution via Malicious PHP File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-41646. PoCs published by Abdullah Khawaja, hax3xploit.

AI-analyzed exploit summary This exploit targets an unauthenticated file upload vulnerability in Online Reviewer System 1.0, allowing RCE via a maliciously crafted PHP file. It uploads a PHP web shell and executes commands on the target system.

Description

Remote Code Execution (RCE) vulnerability exists in Sourcecodester Online Reviewer System 1.0 by uploading a maliciously crafted PHP file that bypasses the image upload filters..

Exploits (2)

exploitdb WORKING POC
by Abdullah Khawaja · pythonwebappsphp
https://www.exploit-db.com/exploits/50319

This exploit targets an unauthenticated file upload vulnerability in Online Reviewer System 1.0, allowing RCE via a maliciously crafted PHP file. It uploads a PHP web shell and executes commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Online Reviewer System 1.0
No auth needed
Prerequisites: Target URL of vulnerable application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by hax3xploit · poc
https://github.com/hax3xploit/CVE-2021-41646

This PoC exploits an unauthenticated file upload vulnerability in Online Reviewer System 1.0, allowing RCE by uploading a malicious PHP shell. The script uploads a PHP file with a shell_exec payload and interacts with it to execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Online Reviewer System 1.0
No auth needed
Prerequisites: Target application accessible via HTTP · File upload endpoint reachable
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/50319
Exploit, Third Party Advisory x_refsource_misc
https://www.nu11secur1ty.com/2021/12/cve-2021-41646.html

Scores

CVSS v3 9.8
EPSS 0.0698
EPSS Percentile 93.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (2)
janobe/online_reviewer_system 1.0
online_reviewer_system_project/online_reviewer_system 1.0
Published Oct 29, 2021
Tracked Since Feb 18, 2026