CVE-2022-50906 | THREATINT

Description

e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload malicious SVG files through the media manager. Attackers with admin privileges can exploit this vulnerability to upload SVG files with embedded cross-site scripting (XSS) payloads that can execute arbitrary scripts when viewed.

PUBLISHED Reserved 2026-01-11 | Published 2026-01-13 | Updated 2026-01-16 | Assigner VulnCheck

MEDIUM: 4.8CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

MEDIUM: 4.8CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

3.2.1

affected

Credits

Hubert Wojciechowski finder

References

www.exploit-db.com/exploits/50910 (ExploitDB-50910) exploit

e107.org/ (Official Vendor Homepage) product

e107.org/download (Software Download Page) product

www.vulncheck.com/...in-upload-restriction-bypass-stored-xss (VulnCheck Advisory: e107 CMS v3.2.1 - Admin Upload Restriction Bypass + Stored XSS) third-party-advisory

cve.org (CVE-2022-50906)

nvd.nist.gov (CVE-2022-50906)

Download JSON