CVE-2022-50898 HIGH

CVE-2022-50898: NanoCMS 0.4 - Remote Code Execution (RCE) (Authenticated)

Vendor Kalyan02
Product NanoCMS
Weakness CWE-434 · Unrestricted file upload
Published January 13, 2026
Last update January 29, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

NanoCMS 0.4 contains an authenticated file upload vulnerability that allows remote code execution through unvalidated page content creation. Authenticated attackers can upload PHP files with arbitrary code to the server's pages directory by exploiting the page creation mechanism without proper input sanitization.

Key dates

02Disclosure timeline

January 13, 2026 CVE published
January 29, 2026 Record updated