CVE-2022-50898

HIGH

NanoCMS 0.4 - Remote Code Execution

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-50898. PoCs published by p1ckzi.

AI-analyzed exploit summary This exploit leverages an authenticated file upload vulnerability in NanoCMS v0.4 to achieve remote code execution by uploading a PHP reverse shell. The script automates login, file upload, and optional execution of the uploaded payload.

Description

NanoCMS 0.4 contains an authenticated file upload vulnerability that allows remote code execution through unvalidated page content creation. Authenticated attackers can upload PHP files with arbitrary code to the server's pages directory by exploiting the page creation mechanism without proper input sanitization.

Exploits (1)

exploitdb WORKING POC
by p1ckzi · pythonwebappsphp
https://www.exploit-db.com/exploits/50997

This exploit leverages an authenticated file upload vulnerability in NanoCMS v0.4 to achieve remote code execution by uploading a PHP reverse shell. The script automates login, file upload, and optional execution of the uploaded payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: NanoCMS v0.4
Auth required
Prerequisites: Valid credentials for NanoCMS admin panel · Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 8.8
EPSS 0.0111
EPSS Percentile 61.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-434
Status published
Products (1)
kalyan02/nanocms 0.4
Published Jan 13, 2026
Tracked Since Feb 18, 2026