CosCMS is prone to a remote command-injection vulnerability. Attackers can exploit this issue to execute arbitrary commands in the context of the application.
The uploadFile function in upload/index.php in CosCMS before 1.822 allows remote administrators to execute arbitrary commands via shell metacharacters in the name of an uploaded file.