CVE-2022-50898 | THREATINT

Description

NanoCMS 0.4 contains an authenticated file upload vulnerability that allows remote code execution through unvalidated page content creation. Authenticated attackers can upload PHP files with arbitrary code to the server's pages directory by exploiting the page creation mechanism without proper input sanitization.

PUBLISHED Reserved 2026-01-10 | Published 2026-01-13 | Updated 2026-01-29 | Assigner VulnCheck

HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-434 Unrestricted Upload of File with Dangerous Type

Product status

Default status

unaffected

0.4

affected

Credits

p1ckzi finder

References

github.com/.../2009-exploits/0904-exploits/nanocms-multi.txt exploit

www.exploit-db.com/exploits/50997 (ExploitDB-50997) exploit

github.com/kalyan02/NanoCMS (NanoCMS GitHub Repository) product

github.com/.../2009-exploits/0904-exploits/nanocms-multi.txt (NanoCMS Exploit Archive) exploit

www.vulncheck.com/...remote-code-execution-rce-authenticated (VulnCheck Advisory: NanoCMS 0.4 - Remote Code Execution (RCE) (Authenticated)) third-party-advisory

cve.org (CVE-2022-50898)

nvd.nist.gov (CVE-2022-50898)

Download JSON