CVE-2022-50906 MEDIUM

CVE-2022-50906: e107 CMS v3.2.1 - Admin Upload Restriction Bypass + Stored XSS

Vendor E107
Product e107 CMS
Weakness CWE-79 · XSS
Published January 13, 2026
Last update April 7, 2026

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload malicious SVG files through the media manager. Attackers with admin privileges can exploit this vulnerability to upload SVG files with embedded cross-site scripting (XSS) payloads that can execute arbitrary scripts when viewed.

Key dates

02Disclosure timeline

January 13, 2026 CVE published
April 7, 2026 Record updated

Related vulnerabilities

04Related CVE