PatchSiren

PatchSiren cyber security CVE debrief

CVE-2021-47939 Evo CVE debrief

CVE-2021-47939 is an authenticated remote code execution vulnerability associated with Evolution CMS 3.1.6. The supplied CVE description says an attacker with module creation permissions can inject PHP into module parameters and trigger arbitrary system commands through requests to /manager/index.php. Because exploitation requires authentication and elevated permissions, the main risk is from compromised accounts, insider misuse, or attackers who can obtain a privileged CMS login. The supplied record rates the issue HIGH (CVSS 8.7).

Vendor
Evo
Product
Unknown
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-10
Original CVE updated
2026-05-10
Advisory published
2026-05-10
Advisory updated
2026-05-10

Who should care

Administrators and security teams running Evolution CMS, especially environments that allow non-administrative users to create or manage modules. Also relevant to teams that expose the CMS manager interface to the internet or rely on weak account controls.

Technical summary

The vulnerability is described as a PHP code injection path in module creation workflow. An authenticated user with module creation privileges can place malicious PHP in module parameters via POST requests to /manager/index.php, leading to arbitrary command execution when the module is invoked. The supplied enrichment maps the issue to CWE-94 (code injection).

Defensive priority

High priority for systems that expose Evolution CMS management functions to multiple users or external networks. Because the flaw allows code execution from an authenticated path, affected deployments should treat account compromise and privilege boundaries as critical.

Recommended defensive actions

  • Review whether Evolution CMS 3.1.6 is in use and identify all installations that expose the manager interface.
  • Restrict module creation permissions to the smallest possible set of trusted administrators.
  • Audit CMS accounts, session activity, and recent module changes for unauthorized or unusual actions.
  • Apply vendor fixes or upgrade guidance from the official Evolution CMS release information when available.
  • Limit access to /manager/index.php with network controls, MFA, and strong authentication where possible.
  • Monitor for unexpected module definitions, PHP code in module parameters, or other signs of tampering.

Evidence notes

The supplied CVE description states that Evolution CMS 3.1.6 is affected and that authenticated users with module creation permissions can inject PHP via module parameters to execute system commands. The NVD-supplied reference set includes the official CVE record, the NVD detail page, the Evolution CMS site, Evolution CMS releases on GitHub, a VulnCheck advisory, and an Exploit-DB entry. The supplied NVD metadata marks the vuln status as Received and lists CWE-94 as the primary weakness.

Official resources

The CVE record and NVD entry are publicly available. In the supplied timeline, the CVE published and modified timestamps are both 2026-05-10T13:16:30.233Z.