CVE-2021-47964

HIGH WAF: Medium

CVSS 8.8 Published: 2026-05-15

CWE-94

Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious extension packages through the block manager. Attackers can upload a crafted ZIP file containing PHP code in the packageinfo.inc file and trigger execution by accessing the About tab of the installed extension.

WAF Coverage Analysis

Code Injection Medium WAF Coverage

OWASP: A03:2021 Injection

932xxx - Remote Code Execution 933xxx - PHP Injection 934xxx - Node.js / Generic Injection

References

www.exploit-db.com
www.schlix.com
www.schlix.com
www.vulncheck.com

Back to CVE Database