Description
ImpressCMS 1.4.2 contains a remote code execution vulnerability in the autotasks administrative interface that allows authenticated attackers to execute arbitrary PHP code by injecting malicious code into the sat_code parameter. Attackers can authenticate, submit a POST request to /modules/system/admin.php?fct=autotasks&op=mod with crafted sat_code containing PHP commands, which creates an executable file that accepts arbitrary commands via GET parameters.
Published: 2026-05-10
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ImpressCMS 1.4.2 contains a remote code execution flaw in the autotasks administration interface. Authenticated users can inject malicious PHP code through the sat_code parameter in a POST request to /modules/system/admin.php?fct=autotasks&op=mod. The injected code is written to an executable file that accepts arbitrary commands via GET parameters, allowing full control over the web server. This enables attackers to read, modify, or delete data, gain root access, or use the server as a platform for further attacks.

Affected Systems

The vulnerability affects the ImpressCMS content management system version 1.4.2, as identified by the cpe string cpe:2.3:a:impresscms:impresscms:1.4.2. No other versions were indicated in the CNA data. Administrators running this exact version should consider it exposed until a patch is applied.

Risk and Exploitability

The CVSS score of 8.7 reflects significant impact and a high exploitation likelihood for authenticated users. EPSS data is not available, so the current exploitation probability cannot be quantified, but the lack of a KEV listing does not reduce the risk, as the flaw remains publicly documented. Attackers must first authenticate to access the admin panel; however, once authenticated they can easily craft the sat_code payload and trigger arbitrary PHP code execution, making the threat immediate for sites with exposed admin interfaces.

Generated by OpenCVE AI on May 10, 2026 at 14:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official ImpressCMS update that removes the vulnerability in version 1.4.2.
  • If patching is delayed, block or remove access to the autotasks administrator interface, such as disabling /modules/system/admin.php?fct=autotasks or implementing web‑application firewall rules that reject POST requests containing a sat_code parameter.
  • Continuously monitor application logs for unexpected POST requests to the autotasks endpoint and review access credentials to ensure only trusted administrators have login rights.

Generated by OpenCVE AI on May 10, 2026 at 14:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description ImpressCMS 1.4.2 contains a remote code execution vulnerability in the autotasks administrative interface that allows authenticated attackers to execute arbitrary PHP code by injecting malicious code into the sat_code parameter. Attackers can authenticate, submit a POST request to /modules/system/admin.php?fct=autotasks&op=mod with crafted sat_code containing PHP commands, which creates an executable file that accepts arbitrary commands via GET parameters.
Title ImpressCMS 1.4.2 Remote Code Execution via Autotasks
First Time appeared Impresscms
Impresscms impresscms
Weaknesses CWE-94
CPEs cpe:2.3:a:impresscms:impresscms:1.4.2:*:*:*:*:*:*:*
Vendors & Products Impresscms
Impresscms impresscms
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Impresscms Impresscms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:43:56.455Z

Reserved: 2026-02-01T11:24:18.717Z

Link: CVE-2021-47938

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:30.100

Modified: 2026-05-10T13:16:30.100

Link: CVE-2021-47938

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T15:45:14Z

Weaknesses