CVE-2022-50907
Published: 13 January 2026
Summary
CVE-2022-50907 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in E107 E107. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 35.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.
NVD Description
e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upload restrictions and execute PHP files. Attackers can upload malicious PHP files to parent directories by manipulating the upload URL parameter, enabling remote code…
more
execution through the Media Manager import feature.
Deeper analysisAI
CVE-2022-50907 is a file upload vulnerability in e107 CMS version 3.2.1 that enables authenticated administrative users to bypass upload restrictions and execute arbitrary PHP files. By manipulating the upload URL parameter in the Media Manager import feature, attackers can place malicious PHP files into parent directories, resulting in remote code execution. The issue is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
The vulnerability requires administrative privileges (PR:H) but can be exploited remotely (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). An authenticated admin can upload and execute malicious PHP code, achieving full remote code execution on the server with high impacts to confidentiality, integrity, and availability.
Advisories and resources include the official e107.org site and its download page for updates, an Exploit-DB entry (exploits/50910) with a proof-of-concept, and a VulnCheck advisory detailing the e-Cms admin upload restriction bypass leading to RCE. Security practitioners should consult these for patch availability and mitigation guidance.
Details
- CWE(s)