CVE-2016-20052 CRITICAL

CVE-2016-20052: Snews CMS 1.7 Unrestricted File Upload via snews_files

Vendor Snewscms
Product Snews CMS upload sheller
Weakness CWE-434 · Unrestricted file upload
Published April 4, 2026
Last update April 6, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Snews CMS 1.7 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files including PHP executables to the snews_files directory. Attackers can upload malicious PHP files through the multipart form-data upload endpoint and execute them by accessing the uploaded file path to achieve remote code execution.

Key dates

02Disclosure timeline

April 4, 2026 CVE published
April 6, 2026 Record updated