CVE-2021-46361

CRITICAL

Magnolia CMS <6.2.11 - Code Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-46361. PoCs published by mbadanoiu.

AI-analyzed exploit summary This repository provides a writeup and references for CVE-2021-46361, a FreeMarker restriction bypass in Magnolia CMS. It includes links to a PDF with exploitation details and credits the SSTI gadget inspiration to Synacktiv's research.

Description

An issue in the Freemark Filter of Magnolia CMS v6.2.11 and below allows attackers to bypass security restrictions and execute arbitrary code via a crafted FreeMarker payload.

Exploits (1)

nomisec WRITEUP

by mbadanoiu · poc

https://github.com/mbadanoiu/CVE-2021-46361

View Code ZIP pw:eip

This repository provides a writeup and references for CVE-2021-46361, a FreeMarker restriction bypass in Magnolia CMS. It includes links to a PDF with exploitation details and credits the SSTI gadget inspiration to Synacktiv's research.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Theoretical

Target: Magnolia CMS v6.2.11 and below

No auth needed

Prerequisites: Access to a vulnerable Magnolia CMS instance

MITRE ATT&CK

T1221 - Template Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Release Notes, Vendor Advisory x_refsource_misc

https://docs.magnolia-cms.com/product-docs/6.2/Releases/Release-notes-for-Magnolia-CMS-6.2.12.html#_security_advisory

Exploit, Third Party Advisory x_refsource_misc

https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2021-46361-FreeMarker%20Bypass-Magnolia%20CMS

Scores

CVSS v3 9.8

EPSS 0.0100

EPSS Percentile 77.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published

Products (2)

info.magnolia/magnolia-core 0 - 6.2.12Maven

magnolia-cms/magnolia_cms < 6.2.12

Published Feb 11, 2022

Tracked Since Feb 18, 2026