Description
Evolution CMS 3.1.6 contains a remote code execution vulnerability that allows authenticated users with module creation permissions to execute arbitrary system commands by injecting PHP code into module parameters. Attackers can send POST requests to /manager/index.php with malicious PHP code in the 'post' parameter to create modules that execute arbitrary commands when invoked.
Published: 2026-05-10
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Evolution CMS version 3.1.6 lets an authenticated account that can create modules inject PHP code into module parameters. The injected code is executed when the module is triggered, allowing arbitrary system commands to run with the web server’s privileges. This is a classic code‑injection weakness (CWE‑94).

Affected Systems

The vulnerability affects Evolution CMS, specifically the 3.1.6 release. No other versions are listed as affected. Only users who can authenticate and acquire module‑creation permissions have the necessary privileges to exploit the flaw.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. Because the EPSS score is not available, the exploitation probability cannot be quantified, though the feature required to execute code is user‑controlled. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog, reducing the signal that the flaw is actively targeted. Successful exploitation requires a legitimate, module‑creation‑permitted user and access to the /manager/index.php endpoint, implying that appropriate access controls must be in place to mitigate risk.

Generated by OpenCVE AI on May 10, 2026 at 14:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Evolution CMS to a version that removes the vulnerability, such as 3.1.7 or later.
  • Revoke module creation permissions from all users that do not require them, limiting the attack surface for authenticated users.
  • Audit and enforce the principle that only trusted administrators have the rights to directly create or edit modules, and monitor POST requests to /manager/index.php for anomalous payloads.

Generated by OpenCVE AI on May 10, 2026 at 14:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Evolution CMS 3.1.6 contains a remote code execution vulnerability that allows authenticated users with module creation permissions to execute arbitrary system commands by injecting PHP code into module parameters. Attackers can send POST requests to /manager/index.php with malicious PHP code in the 'post' parameter to create modules that execute arbitrary commands when invoked.
Title Evolution CMS 3.1.6 Authenticated Remote Code Execution via Module Creation
First Time appeared Evo
Evo evolution Cms
Weaknesses CWE-94
CPEs cpe:2.3:a:evo:evolution_cms:3.1.6:*:*:*:*:*:*:*
Vendors & Products Evo
Evo evolution Cms
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Evo Evolution Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:43:57.324Z

Reserved: 2026-02-01T11:24:18.717Z

Link: CVE-2021-47939

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:30.233

Modified: 2026-05-10T13:16:30.233

Link: CVE-2021-47939

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T15:15:14Z

Weaknesses