CVE-2022-50806 HIGH

CVE-2022-50806: 4images 1.9 - Remote Command Execution (RCE)

Vendor 4Homepages
Product 4images
Weakness CWE-94 · Code injection
Published January 13, 2026
Last update April 7, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

4images 1.9 contains a remote command execution vulnerability that allows authenticated administrators to inject reverse shell code through template editing functionality. Attackers can save malicious code in the template and execute arbitrary commands by accessing a specific categories.php endpoint with a crafted cat_id parameter.

Key dates

02Disclosure timeline

January 13, 2026 CVE published
April 7, 2026 Record updated