Schlix CMS RCE (CVE-2021-47964) Exposes Servers to Authenticated Attackers

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityremote-code-executioncwe-94
Schlix CMS RCE (CVE-2021-47964) Exposes Servers to Authenticated Attackers

Schlix CMS 2.2.6-6 contains a critical remote code execution (RCE) vulnerability, tracked as CVE-2021-47964, according to the National Vulnerability Database. This flaw allows authenticated attackers to execute arbitrary PHP code. The attack vector leverages the block manager, where an attacker can upload a malicious extension package.

The exploit chain involves crafting a ZIP file with PHP code embedded within the packageinfo.inc file. Once this malicious extension is installed, merely accessing the ‘About’ tab of the new extension triggers code execution. The National Vulnerability Database rates this with a CVSS score of 8.8 (High), highlighting the severe impact of successful exploitation.

This vulnerability represents a significant risk for organizations running affected Schlix CMS versions. While it requires prior authentication, the ability to execute arbitrary code provides a full system compromise. Defenders need to understand that an attacker only needs valid credentials — which could be stolen, phished, or brute-forced — to achieve server-side RCE. The attacker’s calculus here is straightforward: gain initial access, then elevate to full control.

What This Means For You

  • If your organization uses Schlix CMS 2.2.6-6 or earlier, you are exposed. Patch immediately. Audit your Schlix CMS instances for any unauthorized or suspicious extension installations, especially those installed via the block manager. Review access logs for unusual activity from authenticated users.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component: Web Shell Persistence T1059.007 Command and Scripting Interpreter: PHP Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

Schlix CMS Arbitrary PHP Code Upload - CVE-2021-47964

Sigma YAML — free preview 
title: Schlix CMS Arbitrary PHP Code Upload - CVE-2021-47964
id: scw-2026-05-15-ai-1
status: experimental
level: critical
description: |
  Detects the upload of a malicious extension package containing a 'packageinfo.inc' file, which is a key step in exploiting CVE-2021-47964 in Schlix CMS. This allows authenticated attackers to upload arbitrary PHP code.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2021-47964/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: file_event
detection:
  selection:
      TargetFilename|endswith:
          - '/packageinfo.inc'
      EventType: 'create'
  selection_base:
      TargetFilename|contains:
          - '.zip'
  condition: selection AND selection_base
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2021-47964 RCE Schlix CMS 2.2.6-6
CVE-2021-47964 RCE Uploading malicious extension packages through the block manager
CVE-2021-47964 RCE Crafted ZIP file containing PHP code in packageinfo.inc
CVE-2021-47964 RCE Trigger execution by accessing the About tab of the installed extension

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 15, 2026 at 22:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-45675: Open WebUI Vulnerable to Admin Role Race Condition

CVE-2026-45675 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use...

vulnerabilityCVEhigh-severitycwe-269cwe-362
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-45671: Open WebUI File Deletion Flaw Impacts Self-Hosted AI

CVE-2026-45671 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files...

vulnerabilityCVEhigh-severitycwe-639
/SCW Vulnerability Desk /HIGH /8 /⚑ 4 IOCs /⚙ 3 Sigma

Open WebUI CVE-2026-45399: Low-Privilege Users Disrupt System-Wide AI Tasks

CVE-2026-45399 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user with low privileges can...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 4 IOCs /⚙ 2 Sigma