Submit #707107: ctcms 2.1.2 Command Injectioninfo

Titlectcms 2.1.2 Command Injection
DescriptionCTCMS (Ctcms video system) version 2.1.2 contains a remote code execution vulnerability in the frontend community/forum functionality. An unauthenticated or low-privileged user can post malicious template syntax in the community section, leading to remote code execution when the post is viewed.The vulnerability exists in the template parsing mechanism. When users post content in the community section, the system processes template syntax (such as {if:...}...{end if}) without proper sanitization. By injecting malicious template code containing PHP functions like eval(), an attacker can achieve remote code execution.
Source⚠️ https://note-hxlab.wetolink.com/share/U6cnRoRfn09r
User
 airrudder (UID 25092)
Submission12/05/2025 09:01 (6 months ago)
Moderation12/15/2025 18:02 (10 days later)
StatusDuplicate
VulDB entry336488 [CTCMS Content Management System up to 2.1.2 Frontend/Template Management CT_Parser.php special elements used in a template engine]
Points0

PreviousOverviewNext

Want to know what is going to be exploited?

We predict KEV entries!