CVE-2021-47734 HIGH

CVE-2021-47734: CMSimple 5.4 Authenticated Local File Inclusion Remote Code Execution

Vendor Cmsimple
Product CMSimple
Weakness CWE-98 · PHP file inclusion
Published December 23, 2025
Last update March 17, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

CMSimple 5.4 contains an authenticated local file inclusion vulnerability that allows remote attackers to manipulate PHP session files and execute arbitrary code. Attackers can leverage the vulnerability by changing the functions file path and uploading malicious PHP code through session file upload mechanisms.

Key dates

02Disclosure timeline

December 23, 2025 CVE published
March 17, 2026 Record updated