CVE-2022-50806 | THREATINT

Description

4images 1.9 contains a remote command execution vulnerability that allows authenticated administrators to inject reverse shell code through template editing functionality. Attackers can save malicious code in the template and execute arbitrary commands by accessing a specific categories.php endpoint with a crafted cat_id parameter.

PUBLISHED Reserved 2025-12-27 | Published 2026-01-13 | Updated 2026-02-02 | Assigner VulnCheck

HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 7.2CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Control of Generation of Code ('Code Injection')

Product status

1.9

affected

Credits

Andrey Stoykov finder

References

www.exploit-db.com/exploits/51147 (ExploitDB-51147) exploit

www.4homepages.de/ (Official 4images Software Download Page) product

www.vulncheck.com/...ies/images-remote-command-execution-rce (VulnCheck Advisory: 4images 1.9 - Remote Command Execution (RCE)) third-party-advisory

cve.org (CVE-2022-50806)

nvd.nist.gov (CVE-2022-50806)

Download JSON