DolphinPHP Incomplete Fix CVE-2021-46097 common.php os command injection
Description
A vulnerability was found in DolphinPHP up to 1.5.1. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file common.php of the component Incomplete Fix CVE-2021-46097. The manipulation of the argument id leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-221551.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
DolphinPHP up to 1.5.1 suffers from a remote OS command injection via a crafted id parameter in common.php, exploiting an incomplete fix of CVE-2021-46097.
Vulnerability
DolphinPHP versions up to 1.5.1 (inclusive) contain an OS command injection vulnerability in the file /application/common.php. This is an incomplete fix of CVE-2021-46097. The issue lies in the _user_func method, where a user-controlled parameter (ids or param[1]) is passed to shell_exec() after a flawed attempt to filter dangerous functions via is_disable_func(). The attacker can influence the function name through a log rule setting in the database. The param value is derived from a |-separated string that matches against the action_info['log'] rule stored in the database [1].
Exploitation
An attacker with administrative access to the DolphinPHP backend can navigate to Behavior Management and edit the log rule for the "Delete Attachment" action. The rule must be set to [details|shell_exec] test ([details]) and the module set to "System" (not "User"). When a subsequent request is made to delete an attachment, the attacker can send crafted POST parameters like ids[]=calc%26&ids[]=X (where X is a valid attachment ID). The %26 decodes to &, and the param[1] value becomes shell_exec, which bypasses the disabled function list and executes the command via shell_exec() [1].
Impact
Successful exploitation allows an authenticated administrator to execute arbitrary operating system commands on the server. This can lead to full system compromise, data theft, malware deployment, or lateral movement within the network. The remote execution vector increases the severity, as the attacker needs only a valid session with admin privileges [1].
Mitigation
As of the publication date (2023-02-21), no official patch has been released for DolphinPHP 1.5.1. The vendor recommendation is to upgrade to a version beyond 1.5.1 once available. No workaround has been documented. Organizations using DolphinPHP should restrict administrative access to trusted users and monitor log settings for unauthorized changes. There is no indication of inclusion in CISA KEV [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- DolphinPHP/DolphinPHPdescription
- Range: <=1.5.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/ssteveez/dolphin/blob/main/README.mdmitreexploit
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.