CVE-2022-50806

HIGH

4images 1.9 - Authenticated Remote Code Execution via Template Editing and Categories Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-50806. PoCs published by Andrey Stoykov.

AI-analyzed exploit summary This exploit demonstrates a Remote Command Execution (RCE) vulnerability in 4images 1.9 by injecting a reverse shell payload into the 'categories.html' template via the admin interface. The payload is executed when accessing the manipulated template.

Description

4images 1.9 contains a remote command execution vulnerability that allows authenticated administrators to inject reverse shell code through template editing functionality. Attackers can save malicious code in the template and execute arbitrary commands by accessing a specific categories.php endpoint with a crafted cat_id parameter.

Exploits (1)

exploitdb WORKING POC
by Andrey Stoykov · textwebappsphp
https://www.exploit-db.com/exploits/51147

This exploit demonstrates a Remote Command Execution (RCE) vulnerability in 4images 1.9 by injecting a reverse shell payload into the 'categories.html' template via the admin interface. The payload is executed when accessing the manipulated template.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: 4images 1.9
Auth required
Prerequisites: Admin credentials for 4images · Access to the admin panel · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Product product
https://www.4homepages.de/

Scores

CVSS v3 7.2
EPSS 0.0109
EPSS Percentile 60.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-94
Status published
Products (2)
4homepages/4images 1.9
4Homepages/4images 1.9
Published Jan 13, 2026
Tracked Since Feb 18, 2026