CVE-2024-58284 HIGH

CVE-2024-58284: PopojiCMS 2.0.1 Remote Command Execution via Authenticated Metadata Settings

Vendor Popojicms
Product PopojiCMS
Weakness CWE-94 · Code injection
Published December 10, 2025
Last update April 7, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

PopojiCMS 2.0.1 contains an authenticated remote command execution vulnerability that allows administrative users to inject malicious PHP code through the metadata settings endpoint. Attackers can log in and modify the meta content to create a web shell that executes arbitrary system commands through a GET parameter.

Key dates

02Disclosure timeline

December 10, 2025 CVE published
April 7, 2026 Record updated