CVE-2021-47964

HIGH

Schlix CMS 2.2.6-6 Remote Code Execution via core.blockmanager

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47964. PoCs published by Eren Saraç.

AI-analyzed exploit summary This exploit demonstrates an authenticated RCE vulnerability in Schlix CMS 2.2.6-6 by leveraging the ability to upload a malicious ZIP file containing a modified 'packageinfo.inc' file with embedded PHP code. The code is executed when accessing the 'About' tab of the installed extension.

Description

Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious extension packages through the block manager. Attackers can upload a crafted ZIP file containing PHP code in the packageinfo.inc file and trigger execution by accessing the About tab of the installed extension.

Exploits (1)

exploitdb WORKING POC

by Eren Saraç · textwebappsmultiple

https://www.exploit-db.com/exploits/49838

View Code ZIP pw:eip

This exploit demonstrates an authenticated RCE vulnerability in Schlix CMS 2.2.6-6 by leveraging the ability to upload a malicious ZIP file containing a modified 'packageinfo.inc' file with embedded PHP code. The code is executed when accessing the 'About' tab of the installed extension.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Schlix CMS 2.2.6-6

Auth required

Prerequisites: Authenticated access to the Schlix CMS admin panel · Ability to upload a ZIP file containing a malicious extension

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-49838

https://www.exploit-db.com/exploits/49838

Product product

Official Product Homepage

https://www.schlix.com/

Product product

Product Reference

https://www.schlix.com/downloads/schlix-cms/schlix-cms-v2.2.6-6.zip

Third Party Advisory third-party-advisory

VulnCheck Advisory: Schlix CMS 2.2.6-6 Remote Code Execution via core.blockmanager

https://www.vulncheck.com/advisories/schlix-cms-6-remote-code-execution-via-core-blockmanager

Scores

CVSS v3 8.8

EPSS 0.0071

EPSS Percentile 48.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (1)

Schlix/Schlix CMS 2.2.6-6

Published May 15, 2026

Tracked Since May 16, 2026