CVE-2021-47753
Published: 15 January 2026
Summary
CVE-2021-47753 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Phpkf Cms. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2021-47753 is an unauthenticated file upload vulnerability in phpKF CMS 3.00 Beta y6. It enables remote attackers to execute arbitrary code by bypassing file extension checks, specifically by uploading a PHP file disguised as a PNG image, renaming it, and executing system commands through a crafted web shell parameter. The issue is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.
Remote attackers require no authentication, privileges, or user interaction to exploit the vulnerability over the network with low complexity. Successful exploitation allows arbitrary code execution on the affected server, providing high impacts to confidentiality, integrity, and availability, potentially leading to full system compromise.
References include an exploit at https://www.exploit-db.com/exploits/50610, along with the phpKF CMS website at https://www.phpkf.com/ and its download page at https://www.phpkf.com/indirme.php. No specific mitigation or patch details from advisories are available in the provided information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2783
Vulnerability details
phpKF CMS 3.00 Beta y6 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary code by bypassing file extension checks. Attackers can upload a PHP file disguised as a PNG, rename it, and execute system commands…
more
through a crafted web shell parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2021-47753 enables unauthenticated RCE through unrestricted file upload to a public-facing CMS (T1190: Exploit Public-Facing Application) by disguising and executing a PHP web shell (T1100: Web Shell).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates uploaded file content and types to prevent disguised PHP executables from bypassing extension checks and enabling arbitrary code execution.
Enforces authentication and authorization requirements for file upload functionality, blocking unauthenticated remote attackers from exploiting the vulnerability.
Scans and removes malicious code in uploaded files, such as PHP web shells, mitigating arbitrary code execution post-upload.