Submit #716078: EyouCMS 1.7.6 Command Injectioninfo

TitleEyouCMS 1.7.6 Command Injection
DescriptionEyouCMS version 1.7.6 contains a SQL Injection vulnerability in the backend template management functionality that leads to Remote Code Execution. The file manager implements incomplete input validation that only blocks {eyou:php} template tags while allowing {eyou:sql} tags. The {eyou:sql} tag handler executes arbitrary SQL queries with minimal restrictions (only blocking DELETE and TRUNCATE). By using MySQL INTO OUTFILE, an authenticated administrator can write malicious PHP files to the webroot, achieving remote code execution.
Source⚠️ https://note-hxlab.wetolink.com/share/XfINjg5i25Ud
User
 yu22x (UID 34832)
Submission12/16/2025 02:20 (4 months ago)
Moderation12/27/2025 12:24 (11 days later)
StatusAccepted
VulDB entry338521 [EyouCMS up to 1.7.6 Backend Template Management FilemanagerLogic.php content sql injection]
Points20

PreviousOverviewNext

Want to know what is going to be exploited?

We predict KEV entries!