CVE-2022-50898

HIGH

NanoCMS 0.4 - RCE

Title source: llm

Description

NanoCMS 0.4 contains an authenticated file upload vulnerability that allows remote code execution through unvalidated page content creation. Authenticated attackers can upload PHP files with arbitrary code to the server's pages directory by exploiting the page creation mechanism without proper input sanitization.

Exploits (1)

exploitdb WORKING POC

by p1ckzi · pythonwebappsphp

https://www.exploit-db.com/exploits/50997

View Code ZIP pw:eip

References (4)

[Third Party Advisory] https://github.com/ishell/Exploits-Archives/blob/master/2009-exploits/0904-exploits/nanocms-multi.txt

[Product] https://github.com/kalyan02/NanoCMS

[Exploit] https://www.exploit-db.com/exploits/50997

[Third Party Advisory] https://www.vulncheck.com/advisories/nanocms-remote-code-execution-rce-authenticated

Scores

CVSS v3 8.8

EPSS 0.0037

EPSS Percentile 59.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

kalyan02/nanocms 0.4

Published Jan 13, 2026

Tracked Since Feb 18, 2026