CVE-2021-47939

HIGH 8.8

Evolution CMS 3.1.6 Authenticated Remote Code Execution via Module Creation

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

Evolution CMS 3.1.6 contains a remote code execution vulnerability that allows authenticated users with module creation permissions to execute arbitrary system commands by injecting PHP code into module parameters. Attackers can send POST requests to /manager/index.php with malicious PHP code in the 'post' parameter to create modules that execute arbitrary commands when invoked.

CWE	CWE-94
Vendor	evo
Product	evolution cms
Published	May 10, 2026
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for evo evolution cms

Be the first to know when new high vulnerabilities affecting evo evolution cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Evo / Evolution CMS

3.1.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/50296 evo.im: https://evo.im/ github.com: https://github.com/evolution-cms/evolution/releases vulncheck.com: https://www.vulncheck.com/advisories/evolution-cms-authenticated-remote-code-execution-via-module-creation

Credits

Halit AKAYDIN (hLtAkydn)