CVE-2021-47938

HIGH 8.8

ImpressCMS 1.4.2 Remote Code Execution via Autotasks

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

ImpressCMS 1.4.2 contains a remote code execution vulnerability in the autotasks administrative interface that allows authenticated attackers to execute arbitrary PHP code by injecting malicious code into the sat_code parameter. Attackers can authenticate, submit a POST request to /modules/system/admin.php?fct=autotasks&op=mod with crafted sat_code containing PHP commands, which creates an executable file that accepts arbitrary commands via GET parameters.

CWE	CWE-94
Vendor	impresscms
Product	impresscms
Published	May 10, 2026
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for impresscms impresscms

Be the first to know when new high vulnerabilities affecting impresscms impresscms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Impresscms / ImpressCMS

1.4.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/50298 impresscms.org: https://www.impresscms.org/ impresscms.org: https://www.impresscms.org/modules/downloads/ vulncheck.com: https://www.vulncheck.com/advisories/impresscms-remote-code-execution-via-autotasks

Credits

Halit AKAYDIN (hLtAkydn)