CVE-2021-47900

CRITICAL WAF: High

CVSS 9.8 Published: 2026-01-27

CWE-98

Gila CMS versions prior to 2.0.0 contain a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands through manipulated HTTP headers. Attackers can inject PHP code in the User-Agent header with shell_exec() to run system commands by sending crafted requests to the admin endpoint.

WAF Coverage Analysis

PHP Remote File Inclusion High WAF Coverage

OWASP: A03:2021 Injection

931xxx - Remote File Inclusion 933xxx - PHP Injection

References

gilacms.com
github.com
www.exploit-db.com
www.vulncheck.com

Back to CVE Database