CVE-2018-19422
/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.
Date published : 2018-11-21
http://packetstormsecurity.com/files/162591/Subrion-CMS-4.2.1-Shell-Upload.html