Description
Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious extension packages through the block manager. Attackers can upload a crafted ZIP file containing PHP code in the packageinfo.inc file and trigger execution by accessing the About tab of the installed extension.
Published: 2026-05-15
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Schlix CMS 2.2.6-6 contains a vulnerability that allows an authenticated attacker to execute arbitrary PHP code by abusing the block manager’s extension upload functionality. The flaw is a classic code injection (CWE-94) where malicious PHP embedded in a crafted ZIP file’s packageinfo.inc is executed when an administrator accesses the About tab of the installed extension. Successful exploitation gives an attacker full control over the web server, compromising confidentiality, integrity, and availability of the entire application and underlying system.

Affected Systems

The affected products are Schlix CMS from Schlix. The CVE specifically enumerates version 2.2.6‑6 as vulnerable. While other nearby releases (e.g., 2.2.7‑2, 2.2.8‑1, 2.1.8‑7, 2.2.1‑3) are listed in the CPE data, the advisory focuses on the 2.2.6‑6 build. Administrators running that version or at risk of deploying the same block manager configuration should address the issue immediately.

Risk and Exploitability

The CVSS score of 8.7 places this flaw in the high severity range. Exploitation requires valid authentication to access the block manager, reducing opportunistic attack likelihood, yet once authenticated, the attacker can run any PHP code. The EPSS score is unavailable, and it has not yet been listed in the CISA KEV catalog, but the high base score warrants proactive mitigation.

Generated by OpenCVE AI on May 15, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Schlix CMS to a version newer than 2.2.6‑6 that contains the vendor’s fix.
  • Restrict access to the block manager and extension upload feature to the smallest possible set of trusted administrators, and audit uploads for suspicious content.
  • Disable or remove PHP execution in the packageinfo.inc file by configuring the CMS to treat uploaded packages as plain data, or temporarily block the About tab functionality until a patch is applied.

Generated by OpenCVE AI on May 15, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious extension packages through the block manager. Attackers can upload a crafted ZIP file containing PHP code in the packageinfo.inc file and trigger execution by accessing the About tab of the installed extension.
Title Schlix CMS 2.2.6-6 Remote Code Execution via core.blockmanager
First Time appeared Schlix
Schlix cms
Weaknesses CWE-94
CPEs cpe:2.3:a:schlix:cms:2.1.8-7:*:*:*:*:*:*:*
cpe:2.3:a:schlix:cms:2.2.1-3:*:*:*:*:*:*:*
cpe:2.3:a:schlix:cms:2.2.7-2:*:*:*:*:*:*:*
cpe:2.3:a:schlix:cms:2.2.8-1:*:*:*:*:*:*:*
Vendors & Products Schlix
Schlix cms
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Schlix Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-15T18:36:30.617Z

Reserved: 2026-05-15T16:30:56.473Z

Link: CVE-2021-47964

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-15T19:16:56.030

Modified: 2026-05-15T19:16:56.030

Link: CVE-2021-47964

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T20:30:06Z

Weaknesses