CVE-2013-10051 CRITICAL

CVE-2013-10051: InstantCMS <= 1.6 Remote PHP Code Execution

Vendor Instantcms
Product InstantCMS
Weakness CWE-95 · Eval injection
Published August 1, 2025
Last update May 15, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of eval() within the search view handler. Specifically, user-supplied input passed via the look parameter is concatenated into a PHP expression and executed without proper sanitation. A remote attacker can exploit this flaw by sending a crafted HTTP GET request with a base64-encoded payload in the Cmd header, resulting in arbitrary PHP code execution within the context of the web server.

Key dates

02Disclosure timeline

August 1, 2025 CVE published
May 15, 2026 Record updated