CVE-2021-47753

CRITICAL

9.8

Description

phpKF CMS 3.00 Beta y6 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary code by bypassing file extension checks. Attackers can upload a PHP file disguised as a PNG, rename it, and execute system commands through a crafted web shell parameter.

CVE Details

CVSS v3.1 Score9.8

SeverityCRITICAL

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published1/15/2026

Last Modified1/23/2026

Sourcenvd

Honeypot Sightings0

Affected Products

phpkf:cms

Weaknesses (CWE)

CWE-434

References

https://www.exploit-db.com/exploits/50610(disclosure@vulncheck.com)

https://www.phpkf.com/(disclosure@vulncheck.com)

https://www.phpkf.com/indirme.php(disclosure@vulncheck.com)

https://www.exploit-db.com/exploits/50610(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.