Primary

Context

Gila CMS Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability exists in Gila CMS versions prior to 2.0.0. This vulnerability allows unauthenticated attackers to execute arbitrary system commands by injecting PHP code into the User-Agent header. The crafted requests are sent to the admin endpoint, where the injected code is executed using the shell_exec() function.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Gila CMS is hosted.

Reproduction

To reproduce this vulnerability, send a request to the Gila CMS admin endpoint with a crafted User-Agent header that includes PHP code. The injected code should be designed to execute a system command using the shell_exec() function. The request can be made using a tool like cURL or through a web application vulnerability scanner that allows for header manipulation.

Remediation

Users are advised to update to Gila CMS version 2.0.0 or later, where this vulnerability has been addressed.

Added: Jan 27, 2026, 4:47 PM

Updated: Jan 27, 2026, 4:47 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

2.5

exploitability

9.7

remediation

0.0

relevance

2.4

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

2.5

exploitability

9.7

remediation

0.0

relevance

2.4

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Gila CMS Remote Code Execution Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Gila CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating