CVE-2022-50806
Published: 13 January 2026
Summary
CVE-2022-50806 is a high-severity Code Injection (CWE-94) vulnerability in 4Homepages 4Images. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2022-50806 is a remote command execution vulnerability in 4images version 1.9, stemming from CWE-94 (code injection). It enables authenticated administrators to inject reverse shell code through the template editing functionality. By saving malicious code in a template and then accessing the categories.php endpoint with a crafted cat_id parameter, attackers can trigger execution of arbitrary commands. The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H), indicating high impact on confidentiality, integrity, and availability with required high privileges.
Exploitation requires an authenticated administrator account, allowing the attacker to leverage template editing to embed malicious payloads. Once injected, accessing the vulnerable categories.php endpoint with a manipulated cat_id parameter executes the code, such as a reverse shell, granting arbitrary command execution on the server. This scenario targets environments running the affected 4images gallery software, potentially compromising the hosting server.
Advisories and resources, including those from Vulncheck (https://www.vulncheck.com/advisories/images-remote-command-execution-rce) and Exploit-DB (https://www.exploit-db.com/exploits/51147), detail the issue, with a proof-of-concept exploit available on Exploit-DB. The official 4images site (https://www.4homepages.de/) serves as a reference for the software. No specific patches or mitigations are detailed in the provided information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2639
Vulnerability details
4images 1.9 contains a remote command execution vulnerability that allows authenticated administrators to inject reverse shell code through template editing functionality. Attackers can save malicious code in the template and execute arbitrary commands by accessing a specific categories.php endpoint with…
more
a crafted cat_id parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via code injection in public-facing web app (template editing) enabling arbitrary command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the CWE-94 code injection by validating/sanitizing template contents before they are saved and later executed via categories.php.
Restricts the ability of authenticated administrators to modify executable templates, limiting the attack surface for embedding reverse-shell payloads.
Enforces least privilege so that only the minimal subset of admin accounts required for gallery maintenance can access template-editing functions.