Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
CVE-2021-47938: ImpressCMS Autotasks Interface Allows Malicious PHP Code Execution
CVE-2021-47938
Summary
ImpressCMS's administrative interface has a security flaw that lets attackers who have logged in execute their own PHP code on the site. This can be done by submitting a special request with malicious code, which can lead to unauthorized actions on the site. To fix this, update to the latest version of ImpressCMS or disable the autotasks interface until the update is available.
Original title
ImpressCMS 1.4.2 contains a remote code execution vulnerability in the autotasks administrative interface that allows authenticated attackers to execute arbitrary PHP code by injecting malicious co...
Original description
ImpressCMS 1.4.2 contains a remote code execution vulnerability in the autotasks administrative interface that allows authenticated attackers to execute arbitrary PHP code by injecting malicious code into the sat_code parameter. Attackers can authenticate, submit a POST request to /modules/system/admin.php?fct=autotasks&op=mod with crafted sat_code containing PHP commands, which creates an executable file that accepts arbitrary commands via GET parameters.
nvd CVSS3.1
8.8
nvd CVSS4.0
8.7
Vulnerability type
CWE-94
Code Injection
Published: 10 May 2026 · Updated: 30 May 2026 · First seen: 10 May 2026