CVE-2022-50912 | THREATINT

Description

ImpressCMS 1.4.4 contains a file upload vulnerability with weak extension sanitization that allows attackers to upload potentially malicious files. Attackers can bypass file upload restrictions by using alternative file extensions .php2.php6.php7.phps.pht to execute arbitrary PHP code on the server.

PUBLISHED Reserved 2026-01-11 | Published 2026-01-13 | Updated 2026-01-14 | Assigner VulnCheck

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Unrestricted Upload of File with Dangerous Type

Product status

1.4.4

affected

Credits

Ünsal Furkan Harani (Zemarkhos) finder

References

www.exploit-db.com/exploits/50890 (ExploitDB-50890) exploit

www.impresscms.org/ (Official ImpressCMS Homepage) product

github.com/ImpressCMS/impresscms (ImpressCMS GitHub Repository) product

www.vulncheck.com/...ies/impresscms-unrestricted-file-upload (VulnCheck Advisory: ImpressCMS 1.4.4 - Unrestricted File Upload) third-party-advisory

cve.org (CVE-2022-50912)

nvd.nist.gov (CVE-2022-50912)

Download JSON