Cyber Resilience

CVE-2013-10051

CriticalPublic PoCRCE

Published: 01 August 2025

Published
01 August 2025
Modified
09 October 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.8414 99.3th percentile
Risk Priority 69 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2013-10051 is a critical-severity Eval Injection (CWE-95) vulnerability in Instantcms Instantcms. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2013-10051 is a remote PHP code execution vulnerability affecting InstantCMS version 1.6 and earlier. The flaw stems from the unsafe use of the eval() function within the search view handler, where user-supplied input passed via the look parameter is directly concatenated into a PHP expression and executed without proper sanitization. This CWE-95 issue earned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to the potential for complete compromise.

A remote attacker can exploit this vulnerability by sending a crafted HTTP GET request containing a base64-encoded payload in the Cmd header. No privileges, user interaction, or special access are required, allowing unauthenticated attackers to achieve arbitrary PHP code execution within the context of the web server process. Successful exploitation grants full control over the server, enabling data theft, persistence, or further lateral movement.

Public references, including advisories from Vulncheck and proof-of-concept exploits on Exploit-DB (ID 26622) and PacketStorm, detail the vulnerability but do not specify official patches or mitigations in the provided information. A Metasploit module (unix/webapp/instantcms_exec.rb) exists for automated exploitation, underscoring the need for immediate upgrades or removal of affected InstantCMS installations.

EU & UK References

Vulnerability details

A remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of eval() within the search view handler. Specifically, user-supplied input passed via the look parameter is concatenated into a PHP expression and executed…

more

without proper sanitation. A remote attacker can exploit this flaw by sending a crafted HTTP GET request with a base64-encoded payload in the Cmd header, resulting in arbitrary PHP code execution within the context of the web server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated RCE in public-facing web app via eval of unsanitized input matches T1190 exactly.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28281Same product: Instantcms Instantcms
CVE-2026-44128Shared CWE-95
CVE-2026-29091Shared CWE-95
CVE-2025-68271Shared CWE-95
CVE-2025-50187Shared CWE-95
CVE-2024-10633Shared CWE-95
CVE-2026-33618Shared CWE-95
CVE-2026-4001Shared CWE-95
CVE-2026-1470Shared CWE-95
CVE-2025-8420Shared CWE-95

Affected Assets

instantcms
instantcms
≤ 1.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents remote PHP code execution by requiring validation of user-supplied input in the look parameter before concatenation into eval().

prevent

Requires timely flaw remediation, such as patching or upgrading InstantCMS to eliminate the unsafe eval() usage in the search handler.

preventdetect

Boundary protection via web application firewalls can block crafted HTTP GET requests with malicious base64-encoded payloads targeting the Cmd header.

References