CVE-2022-50907 HIGH

CVE-2022-50907: e107 CMS v3.2.1 - Admin Upload Restriction Bypass + RCE

Vendor E107
Product e107 CMS
Weakness CWE-434 · Unrestricted file upload
Published January 13, 2026
Last update April 7, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upload restrictions and execute PHP files. Attackers can upload malicious PHP files to parent directories by manipulating the upload URL parameter, enabling remote code execution through the Media Manager import feature.

Key dates

02Disclosure timeline

January 13, 2026 CVE published
April 7, 2026 Record updated

Related vulnerabilities

04Related CVE