Critical severity10.0NVD Advisory· Published Apr 5, 2025· Updated Apr 15, 2026

CVE-2021-47667

Description

An OS command injection vulnerability in lib/NSSDropoff.php in ZendTo 5.24-3 through 6.x before 6.10-7 allows unauthenticated remote attackers to execute arbitrary commands via shell metacharacters in the tmp_name parameter when dropping off a file via a POST /dropoff request.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

projectblack.io/blog/zendto-nday-vulnerabilities/nvd

News mentions

No linked articles in our index yet.

cvss	0.650
epss	0.007
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000