CVE-2022-23626 HIGH

CVE-2022-23626: Insufficient file checks in m1k1o/blog

Vendor M1K1O

Product blog

Weakness CWE-20 · Input validation

Published February 8, 2022

Last update April 22, 2025

View on NVD All CVEs

CVSS base score

8.5/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

m1k1o/blog is a lightweight self-hosted facebook-styled PHP blog. Errors from functions `imagecreatefrom*` and `image*` have not been checked properly. Although PHP issued warnings and the upload function returned `false`, the original file (that could contain a malicious payload) was kept on the disk. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

Key dates

02Disclosure timeline

February 8, 2022 CVE published

April 22, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-23626 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

CVE-2022-23626: Insufficient file checks in m1k1o/blog

01Description

02Disclosure timeline

03References

04Related CVE