Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
CVE-2021-47937: e107 CMS Allows Malicious Theme Files to Execute System Commands
CVE-2021-47937
Summary
Authenticated users with theme installation permissions on e107 CMS can upload malicious theme files, which can then execute system commands. This allows attackers to take control of the website. To fix this, update to a secure version of e107 CMS or remove the ability for users to install themes.
Original title
e107 CMS 2.3.0 contains a remote code execution vulnerability that allows authenticated users with theme installation permissions to execute arbitrary commands by uploading malicious theme files. A...
Original description
e107 CMS 2.3.0 contains a remote code execution vulnerability that allows authenticated users with theme installation permissions to execute arbitrary commands by uploading malicious theme files. Attackers can upload a crafted theme package through the theme.php endpoint that deploys a web shell to the e107_themes directory, then execute system commands via the payload.php script.
nvd CVSS3.1
8.8
nvd CVSS4.0
8.7
Vulnerability type
CWE-434
Unrestricted File Upload
Published: 10 May 2026 · Updated: 28 May 2026 · First seen: 10 May 2026