CVE-2022-50906

e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload malicious SVG files through the media manager. Attackers with admin privileges can exploit this vulnerability to upload SVG files with embedded cross-site scripting (XSS) payloads that can execute arbitrary scripts when viewed.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://e107.org/	Product
https://e107.org/download	Product
https://www.exploit-db.com/exploits/50910	Exploit Third Party Advisory VDB Entry
https://www.vulncheck.com/advisories/e-cms-admin-upload-restriction-bypass-stored-xss	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:e107:e107:3.2.1:*:*:*:*:*:*:*

History

17 Jun 2026, 05:24

Type	Values Removed	Values Added
Summary		(es) e107 CMS 3.2.1 contiene una vulnerabilidad de omisión de restricción de carga que permite a los administradores autenticados cargar archivos SVG maliciosos a través del gestor de medios. Los atacantes con privilegios de administrador pueden explotar esta vulnerabilidad para cargar archivos SVG con cargas útiles de cross-site scripting (XSS) incrustadas que pueden ejecutar scripts arbitrarios al ser vistos.

16 Jan 2026, 19:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~6.4~~	v2 : unknown v3 : 4.8

15 Jan 2026, 22:18

Type	Values Removed	Values Added
First Time		E107 E107 e107
CPE		cpe:2.3:a:e107:e107:3.2.1:::::::*
References	~~() https://e107.org/ -~~	() https://e107.org/ - Product
References	~~() https://e107.org/download -~~	() https://e107.org/download - Product
References	~~() https://www.exploit-db.com/exploits/50910 -~~	() https://www.exploit-db.com/exploits/50910 - Exploit, Third Party Advisory, VDB Entry
References	~~() https://www.vulncheck.com/advisories/e-cms-admin-upload-restriction-bypass-stored-xss -~~	() https://www.vulncheck.com/advisories/e-cms-admin-upload-restriction-bypass-stored-xss - Third Party Advisory

13 Jan 2026, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-13 23:15

Updated : 2026-06-17 05:24

NVD link : CVE-2022-50906

Mitre link : CVE-2022-50906

CVE.ORG link : CVE-2022-50906

JSON object : View

Products Affected

e107

e107

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

4.8 /10