CVE-2021-47736

HIGH

Cmsimple-xh Cmsimple XH - Code Injection

Title source: rule

Description

CMSimple_XH 1.7.4 contains an authenticated remote code execution vulnerability in the content editing functionality that allows administrative users to upload malicious PHP files. Attackers with valid credentials can exploit the CSRF token mechanism to create a PHP shell file that enables arbitrary command execution on the server.

Exploits (1)

exploitdb WORKING POC

by Halit AKAYDIN · pythonwebappsphp

https://www.exploit-db.com/exploits/50367

View Code ZIP pw:eip

References (3)

[Product] https://www.cmsimple-xh.org/

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/50367

[Third Party Advisory] https://www.vulncheck.com/advisories/cmsimplexh-authenticated-remote-code-execution-via-content-editing

Scores

CVSS v3 7.2

EPSS 0.0112

EPSS Percentile 78.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (1)

cmsimple-xh/cmsimple_xh 1.7.4

Published Dec 23, 2025

Tracked Since Feb 18, 2026