CVE-2009-20006

UNKNOWN 0.0

osCommerce <= 2.2 Admin File Manager Arbitrary PHP Code Execution

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

osCommerce versions up to and including 2.2 RC2a contain a vulnerability in its administrative file manager utility (admin/file_manager.php). The interface allows file uploads and edits without sufficient input validation or access control. An unauthenticated attacker can craft a POST request to upload a .php file containing arbitrary code, which is then executed by the server.

CWE	CWE-434
Vendor	oscommerce
Product	oscommerce
Published	Sep 16, 2025
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for oscommerce oscommerce

Be the first to know when new unknown vulnerabilities affecting oscommerce oscommerce are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

osCommerce / osCommerce

* ≤ 2.2 RC2a

References

NVD ↗ CVE.org ↗ EPSS Data ↗

raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/oscommerce_filemanager.rb exploit-db.com: https://www.exploit-db.com/exploits/9556 exploit-db.com: https://www.exploit-db.com/exploits/16899 oscommerce.com: https://www.oscommerce.com/ vulncheck.com: https://www.vulncheck.com/advisories/oscommerce-arbitrary-php-code-execution

Credits

flyh4t