CVE-2021-47900

CriticalPublic PoC

Published: 27 January 2026

Published

27 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0028 51.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Gila CMS versions prior to 2.0.0 contain a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands through manipulated HTTP headers. Attackers can inject PHP code in the User-Agent header with shell_exec() to run system commands…

by sending crafted requests to the admin endpoint.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2021-47900 by requiring timely patching or upgrading Gila CMS to version 2.0.0 or later to fix the shell_exec() vulnerability in HTTP header processing.

SI-10 Information Input Validation good match

prevent

Enforces validation and sanitization of untrusted inputs like the User-Agent HTTP header to block PHP code injection leading to arbitrary command execution.

SC-7 Boundary Protection partial match

preventdetect

Implements boundary protections such as web application firewalls to inspect and filter crafted HTTP requests targeting the vulnerable admin endpoint.

Security SummaryAI

CVE-2021-47900 is a remote code execution vulnerability in Gila CMS versions prior to 2.0.0. The flaw enables unauthenticated attackers to execute arbitrary system commands by manipulating HTTP headers, specifically injecting PHP code into the User-Agent header via shell_exec() in crafted requests targeting the admin endpoint. It carries a CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-98.

Unauthenticated remote attackers can exploit this vulnerability with low complexity and no privileges or user interaction required. Exploitation allows full execution of system commands, potentially leading to complete server compromise with high impacts on confidentiality, integrity, and availability.

References including the Gila CMS site (https://gilacms.com/), GitHub repository (https://github.com/GilaCMS/gila), an Exploit-DB proof-of-concept (https://www.exploit-db.com/exploits/49412), and a VulnCheck advisory (https://www.vulncheck.com/advisories/gila-cms-remote-code-execution) provide details on the issue, with mitigation centered on upgrading to version 2.0.0 or later to address the vulnerability in prior releases.

A public exploit is available on Exploit-DB, highlighting active proof-of-concept exploitation potential.

Details

CWE(s): CWE-98

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2021-47900 enables unauthenticated remote code execution via manipulated HTTP headers in a public-facing web application (Gila CMS admin endpoint), directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://gilacms.com/
disclosure@vulncheck.com
https://github.com/GilaCMS/gila
disclosure@vulncheck.com
https://www.exploit-db.com/exploits/49412
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/gila-cms-remote-code-execution
disclosure@vulncheck.com