Main Vulnerability Database Vulnerabilities #VU131111

PHP file inclusion in Sulu - CVE-2021-43836

Published: December 15, 2021 / Updated: May 12, 2026

Vulnerability identifier: #VU131111

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-43836

CWE-ID: CWE-98

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Sulu GmbH

Affected software:
Sulu

Detailed vulnerability description

The vulnerability allows a remote user to read arbitrary local files and execute arbitrary code.

The vulnerability exists due to improper control of file inclusion in the Sulu admin panel when processing crafted backend input. A remote user can trigger a PHP file include to read arbitrary local files and execute arbitrary code.

In a default configuration, the issue can lead to remote code execution.

How to mitigate CVE-2021-43836

Install security update from vendor's website.

Sources

https://github.com/sulu/sulu/security/advisories/GHSA-vx6j-pjrh-vgjh

PHP file inclusion in Sulu - CVE-2021-43836

Detailed vulnerability description

How to mitigate CVE-2021-43836

Sources

Please verify you're human