CVE-2013-10051

UNKNOWN 0.0

InstantCMS <= 1.6 Remote PHP Code Execution

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

A remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of eval() within the search view handler. Specifically, user-supplied input passed via the look parameter is concatenated into a PHP expression and executed without proper sanitation. A remote attacker can exploit this flaw by sending a crafted HTTP GET request with a base64-encoded payload in the Cmd header, resulting in arbitrary PHP code execution within the context of the web server.

CWE	CWE-95
Vendor	instantcms
Product	instantcms
Published	Aug 1, 2025
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for instantcms instantcms

Be the first to know when new unknown vulnerabilities affecting instantcms instantcms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

InstantCMS / InstantCMS

* ≤ 1.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/instantcms_exec.rb exploit-db.com: https://www.exploit-db.com/exploits/26622 packetstorm.news: https://packetstorm.news/files/id/122176 vulncheck.com: https://www.vulncheck.com/advisories/instantcms-remote-php-code-execution

Credits

Ricardo Jorge Borges de Almeida