CVE-2018-19404
In YXcms 1.4.7, the vulnerability resides in protected/apps/appmanage/controller/indexController.php. Remote authenticated Administrators can trigger arbitrary PHP code execution by creating a ZIP archive containing a config.php file, hosting the ZIP at an external URL, and accessing index.php?r=...