Cyber Resilience

CVE-2022-50907

HighPublic PoC

Published: 13 January 2026

Published
13 January 2026
Modified
16 January 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0105 59.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2022-50907 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in E107 E107. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2022-50907 is a file upload vulnerability in e107 CMS version 3.2.1 that enables authenticated administrative users to bypass upload restrictions and execute arbitrary PHP files. By manipulating the upload URL parameter in the Media Manager import feature, attackers can place malicious PHP files into parent directories, resulting in remote code execution. The issue is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

The vulnerability requires administrative privileges (PR:H) but can be exploited remotely (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). An authenticated admin can upload and execute malicious PHP code, achieving full remote code execution on the server with high impacts to confidentiality, integrity, and availability.

Advisories and resources include the official e107.org site and its download page for updates, an Exploit-DB entry (exploits/50910) with a proof-of-concept, and a VulnCheck advisory detailing the e-Cms admin upload restriction bypass leading to RCE. Security practitioners should consult these for patch availability and mitigation guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upload restrictions and execute PHP files. Attackers can upload malicious PHP files to parent directories by manipulating the upload URL parameter, enabling remote code…

more

execution through the Media Manager import feature.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload in public-facing CMS enables RCE via malicious PHP web shell upload.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2022-50916Same product: E107 E107
CVE-2022-50939Same product: E107 E107
CVE-2025-11941Same product: E107 E107
CVE-2022-50905Same product: E107 E107
CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434
CVE-2023-53956Shared CWE-434
CVE-2025-6058Shared CWE-434

Affected Assets

e107
e107
3.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of file types, names, and path parameters during upload to block dangerous PHP files and directory traversal in the Media Manager.

prevent

Enforces the intended upload authorization policy that the vulnerability bypasses, preventing placement of executable files outside allowed directories.

preventdetect

Scans or filters uploaded content for malicious code (e.g., PHP webshells) before execution is possible, mitigating the RCE outcome of the CWE-434 flaw.

References