Cyber Resilience

CVE-2022-50898

HighPublic PoC

Published: 13 January 2026

Published
13 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0111 61.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2022-50898 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Kalyan02 Nanocms. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-50898 is an authenticated file upload vulnerability in NanoCMS version 0.4 that enables remote code execution. The issue stems from unvalidated page content creation, where the page creation mechanism lacks proper input sanitization, allowing attackers to upload PHP files containing arbitrary code directly to the server's pages directory. This flaw is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Authenticated attackers with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction. By leveraging the flawed page creation process, they can upload and execute malicious PHP code on the server, achieving full remote code execution and potentially compromising the entire system through high impacts on confidentiality, integrity, and availability.

Reference advisories and resources, including Exploit-DB entry 50997, a VulnCheck advisory on authenticated RCE in NanoCMS, and GitHub exploit archives, document the vulnerability with proof-of-concept exploits but do not specify patches or mitigations in the provided details. The NanoCMS GitHub repository is also referenced, indicating the affected open-source component.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

NanoCMS 0.4 contains an authenticated file upload vulnerability that allows remote code execution through unvalidated page content creation. Authenticated attackers can upload PHP files with arbitrary code to the server's pages directory by exploiting the page creation mechanism without proper…

more

input sanitization.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

The vulnerability allows authenticated attackers to exploit a public-facing web application (NanoCMS) via unrestricted file upload of malicious PHP files, enabling remote code execution equivalent to deploying a web shell.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1978Same product: Kalyan02 Nanocms
CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434
CVE-2023-53956Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2021-47819Shared CWE-434
CVE-2025-7852Shared CWE-434
CVE-2026-4883Shared CWE-434

Affected Assets

kalyan02
nanocms
0.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires input validation and sanitization at page creation interfaces to block unvalidated uploads of malicious PHP files.

prevent

Mandates identification, reporting, and correction of the unrestricted file upload flaw in NanoCMS 0.4 to eliminate the RCE vulnerability.

prevent

Enforces restrictions on file types and content during authenticated page creation to prevent upload of dangerous PHP code to the pages directory.

References