CVE-2021-40188
7.2 HIGHPHPFusion 9.03.110 is affected by an arbitrary file upload vulnerability
Published: 2021-10-11 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 7.2 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-434
Affected products
| Vendor | Product |
|---|---|
| php-fusion | phpfusion |
Description
PHPFusion 9.03.110 is affected by an arbitrary file upload vulnerability. The File Manager function in admin panel does not filter all PHP extensions such as ".php, .php7, .phtml, .php5, ...". An attacker can upload a malicious file and execute code on the server.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-40188
- [Exploit reference]https://github.com/PHPFusion/PHPFusion/issues/2372
- [Exploit reference]https://github.com/PHPFusion/PHPFusion/issues/2372
Related CVEs
Same vendor
- CVE-2021-40189 — PHPFusion 9.03.110 is affected by a remote code execution vulnerability (7.2 HIGH)
- CVE-2021-40541 — PHPFusion 9.03.110 is affected by cross-site scripting (XSS) in the preg patterns filter html tag without "//" in descript() function An ... (6.1 MEDIUM)
Same CWE
- CVE-2026-40750 — Unrestricted Upload of File with Dangerous Type vulnerability in themagnifico52 Kids Online Store allows Upload a Web Shell to a Web Server (9.9 CRITICAL)
- CVE-2026-6933 — The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and inclu... (8.8 HIGH)
- CVE-2026-40772 — Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions (10.0 CRITICAL)
- CVE-2026-39591 — Subscriber Arbitrary File Upload in WP-BusinessDirectory <= 4.0.0 versions (9.9 CRITICAL)
- CVE-2026-39527 — Subscriber Arbitrary File Upload in WpStream < 4.11.2 versions (5.4 MEDIUM)