PatchSiren

PatchSiren cyber security CVE debrief

CVE-2021-47964 Schlix CVE debrief

CVE-2021-47964 describes an authenticated remote code execution flaw in Schlix CMS extension handling. The reported attack path uses the block manager to upload a crafted extension package, then triggers PHP code execution when the installed extension’s About tab is accessed. Because the issue enables arbitrary PHP execution with authenticated access, it should be treated as a high-risk administrative compromise vector.

Vendor
Schlix
Product
Schlix CMS
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-15
Original CVE updated
2026-05-18
Advisory published
2026-05-15
Advisory updated
2026-05-18

Who should care

Administrators and defenders running Schlix CMS, especially environments that allow extension/package uploads through the block manager. Security teams should also care if admin accounts are exposed to weak authentication, reused credentials, or broad internal access.

Technical summary

The supplied record states that Schlix CMS 2.2.6-6 is vulnerable to remote code execution through malicious extension packages uploaded via the block manager. The package can contain PHP code in packageinfo.inc, and execution is triggered when the extension’s About tab is accessed. NVD maps the issue to CWE-94 (Improper Control of Generation of Code). The entry is marked with high CVSS severity and authenticated network access requirements.

Defensive priority

High

Recommended defensive actions

  • Update or replace the affected Schlix CMS version if vendor guidance or a fixed release is available.
  • Restrict access to the CMS administration interface and block manager to trusted networks and users only.
  • Review recent extension or package uploads for unexpected ZIP files, especially those containing packageinfo.inc or other executable PHP content.
  • Inspect installed extensions and their metadata pages for unauthorized changes or suspicious behavior.
  • Check logs for unusual admin activity, extension installation attempts, or repeated access to extension About pages.
  • If compromise is suspected, rotate administrator credentials and review the host for webshells or other unauthorized PHP files.
  • Add monitoring and alerting for extension upload events and new PHP files appearing in extension directories.

Evidence notes

Evidence is limited to the supplied NVD record and referenced sources. The NVD metadata cites a VulnCheck advisory and an Exploit-DB reference, and the supplied description specifies the attack mechanism: malicious extension ZIP upload through the block manager, PHP code in packageinfo.inc, and execution on About-tab access. The NVD record also lists CWE-94 and a high-severity CVSS v4.0 vector. The vendor attribution in the prompt is weak, so the debrief avoids asserting more than the supplied Schlix CMS references support.

Official resources

NVD published the record on 2026-05-15 and last modified it on 2026-05-18. The supplied NVD metadata marks the vulnerability status as Deferred, and no KEV listing was provided in the source corpus.