Cyber Resilience

CVE-2022-50895

HighPublic PoC

Published: 13 January 2026

Published
13 January 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0055 41.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2022-50895 is a high-severity SQL Injection (CWE-89) vulnerability in Aerocms Project Aerocms. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-50895 is a SQL injection vulnerability (CWE-89) in Aero CMS version 0.0.1, specifically within the author parameter. This flaw enables attackers to manipulate database queries through boolean-based, error-based, time-based, and UNION query techniques, potentially allowing extraction of sensitive database information and system compromise. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to network accessibility, low attack complexity, and no required privileges or user interaction.

Unauthenticated remote attackers can exploit this vulnerability over the network with minimal effort. By injecting malicious payloads into the author parameter, they can dump sensitive data from the database and escalate to broader system compromise, depending on the backend database and configuration.

Advisories and resources, including a GitHub repository detailing the issue, an archived Aero CMS repository, an Exploit-DB proof-of-concept (ID 51022), and a Vulncheck advisory, provide further technical details and exploitation demonstrations. No patches or specific mitigations are outlined in the core description.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Aero CMS 0.0.1 contains a SQL injection vulnerability in the author parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, time-based, and UNION query techniques to extract sensitive database information and potentially compromise the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated SQL injection in a public-facing web CMS enables remote exploitation of the application (T1190) to extract DB data and achieve system compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89
CVE-2026-21410Shared CWE-89

Affected Assets

aerocms project
aerocms
0.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates SQL injection in the author parameter by validating and sanitizing inputs to block malicious boolean-based, error-based, time-based, and UNION query payloads.

prevent

Requires identification, reporting, and correction of the SQL injection flaw in Aero CMS, eliminating the vulnerability at its source.

prevent

Prevents error-based SQL injection exploitation by suppressing detailed database error messages that reveal structure and data.

References