CVE-2021-42580

CRITICAL

Online Learning System 2.0 - SQL Injection Authentication Bypass and Authenticated File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-42580. PoCs published by djebbaranon.

AI-analyzed exploit summary This exploit leverages an SQL injection for authentication bypass and an arbitrary file upload vulnerability to achieve remote code execution (RCE) in Online Learning System 2.0. It uploads a PHP webshell and bruteforces its location to execute commands.

Description

Sourcecodester Online Learning System 2.0 is vunlerable to sql injection authentication bypass in admin login file (/admin/login.php) and authenticated file upload in (Master.php) file , we can craft these two vunlerablities to get unauthenticated remote command execution.

Exploits (1)

exploitdb WORKING POC
by djebbaranon · pythonwebappsphp
https://www.exploit-db.com/exploits/50526

This exploit leverages an SQL injection for authentication bypass and an arbitrary file upload vulnerability to achieve remote code execution (RCE) in Online Learning System 2.0. It uploads a PHP webshell and bruteforces its location to execute commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Online Learning System 2.0
No auth needed
Prerequisites: Target URL · Network access to the vulnerable application
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 9.8
EPSS 0.0998
EPSS Percentile 95.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
oretnom23/online_learning_system 2.0
Published Nov 15, 2021
Tracked Since Feb 18, 2026