CVE-2022-45544

HIGH

SCHLIX CMS 2.2.7-2 - Authenticated Arbitrary File Upload via tristao Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-45544. PoCs published by tristao-io.

AI-analyzed exploit summary This PoC demonstrates an authenticated arbitrary file upload vulnerability in Schlix CMS 2.2.7-2, leading to remote code execution by modifying a theme's index.php file to include malicious PHP code.

Description

Insecure Permission vulnerability in Schlix Web Inc SCHLIX CMS 2.2.7-2 allows attacker to upload arbitrary files and execute arbitrary code via the tristao parameter. NOTE: this is disputed by the vendor because an admin is intentionally allowed to upload new executable PHP code, such as a theme that was obtained from a trusted source or was developed for their own website. Only an admin can upload such code, not someone else in an "attacker" role.

Exploits (1)

nomisec WORKING POC
by tristao-io · poc
https://github.com/tristao-io/CVE-2022-45544

This PoC demonstrates an authenticated arbitrary file upload vulnerability in Schlix CMS 2.2.7-2, leading to remote code execution by modifying a theme's index.php file to include malicious PHP code.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Schlix CMS 2.2.7-2
Auth required
Prerequisites: Valid credentials for the Schlix CMS admin panel · Access to the theme manager functionality · Ability to upload a modified theme package
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 8.8
EPSS 0.0132
EPSS Percentile 67.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-863
Status published
Products (1)
schlix/cms 2.2.7-2
Published Feb 07, 2023
Tracked Since Feb 18, 2026