CVE-2022-50895
Published: 13 January 2026
Summary
CVE-2022-50895 is a high-severity SQL Injection (CWE-89) vulnerability in Aerocms Project Aerocms. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-50895 is a SQL injection vulnerability (CWE-89) in Aero CMS version 0.0.1, specifically within the author parameter. This flaw enables attackers to manipulate database queries through boolean-based, error-based, time-based, and UNION query techniques, potentially allowing extraction of sensitive database information and system compromise. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to network accessibility, low attack complexity, and no required privileges or user interaction.
Unauthenticated remote attackers can exploit this vulnerability over the network with minimal effort. By injecting malicious payloads into the author parameter, they can dump sensitive data from the database and escalate to broader system compromise, depending on the backend database and configuration.
Advisories and resources, including a GitHub repository detailing the issue, an archived Aero CMS repository, an Exploit-DB proof-of-concept (ID 51022), and a Vulncheck advisory, provide further technical details and exploitation demonstrations. No patches or specific mitigations are outlined in the core description.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2644
Vulnerability details
Aero CMS 0.0.1 contains a SQL injection vulnerability in the author parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, time-based, and UNION query techniques to extract sensitive database information and potentially compromise the system.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated SQL injection in a public-facing web CMS enables remote exploitation of the application (T1190) to extract DB data and achieve system compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates SQL injection in the author parameter by validating and sanitizing inputs to block malicious boolean-based, error-based, time-based, and UNION query payloads.
Requires identification, reporting, and correction of the SQL injection flaw in Aero CMS, eliminating the vulnerability at its source.
Prevents error-based SQL injection exploitation by suppressing detailed database error messages that reveal structure and data.