CVE-2021-46360

HIGH

Composr-CMS <10.0.39 - Authenticated RCE

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-46360. PoCs published by Sarang Tumne.

AI-analyzed exploit summary This exploit leverages authenticated RCE in Composr-CMS by disabling .htaccess protections via Commandr, allowing PHP shell upload. It demonstrates a full chain from authentication to reverse shell execution.

Description

Authenticated remote code execution (RCE) in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a PHP shell through /adminzone/index.php?page=admin-commandr.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Sarang Tumne · textwebappsphp

https://www.exploit-db.com/exploits/51060

View Code ZIP pw:eip

This exploit leverages authenticated RCE in Composr-CMS by disabling .htaccess protections via Commandr, allowing PHP shell upload. It demonstrates a full chain from authentication to reverse shell execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Composr-CMS <=10.0.39

Auth required

Prerequisites: Admin credentials · Network access to target · PHP environment

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1105 - Ingress Tool Transfer T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://github.com/sartlabs/0days/blob/main/Composr-CMS/Exploit.py

View Exploit ZIP pw:eip

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/171489/Composr-CMS-10.0.39-Remote-Code-Execution.html

Scores

CVSS v3 8.8

EPSS 0.0918

EPSS Percentile 94.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

ocproducts/composr < 10.0.39

Published Feb 09, 2022

Tracked Since Feb 18, 2026