CVE-2022-50795 HIGH

CVE-2022-50795: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Conditional Command Injection via traceroute.php

Vendor Sound4 Ltd.

Product Impact/Pulse/First

Weakness CWE-78

Published December 30, 2025

Last update January 16, 2026

View on NVD All CVEs

CVSS base score

8.5/10

Attack vector Local

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains a conditional command injection vulnerability that allows local authenticated users to create malicious files in the /tmp directory. Unauthenticated attackers can execute commands by making a single HTTP POST request to the traceroute.php script, which triggers the malicious file and then deletes it after execution.

Key dates

02Disclosure timeline

December 30, 2025 CVE published

January 16, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-50795

Related vulnerabilities

Identifiers

CVE CVE-2022-50795

CWE CWE-78

CVSS 8.5 / HIGH

Affected versions

Vendor Sound4 Ltd.

Product Impact/Pulse/First

Affected Version 2: 1.1/2.15

Vendor Sound4 Ltd.

Product Impact/Pulse Eco

Affected 1.16

Vendor Sound4 Ltd.

Product BigVoice4

Affected 1.2

Vendor Sound4 Ltd.

Product BigVoice2

Affected 1.30

Vendor Sound4 Ltd.

Product Stream

Affected 1.1/2.4.29

Vendor Kantar Media

Product WM2

Affected 1.11

CVE-2022-50795: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Conditional Command Injection via traceroute.php

01Description

02Disclosure timeline

03References

04Related CVE