CVE-2022-50906

MEDIUM

e107 CMS 3.2.1 - Authenticated Stored Cross-Site Scripting via SVG Upload Bypass

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-50906. PoCs published by Hubert Wojciechowski.

AI-analyzed exploit summary This exploit demonstrates multiple vulnerabilities in e107 CMS v3.2.1, including reflected XSS, stored XSS via SVG upload, RCE through PHP file upload, and server file override. The PoC includes detailed HTTP requests and responses for each vulnerability.

Description

e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload malicious SVG files through the media manager. Attackers with admin privileges can exploit this vulnerability to upload SVG files with embedded cross-site scripting (XSS) payloads that can execute arbitrary scripts when viewed.

Exploits (1)

exploitdb WORKING POC

by Hubert Wojciechowski · textwebappsphp

https://www.exploit-db.com/exploits/50910

View Code ZIP pw:eip

This exploit demonstrates multiple vulnerabilities in e107 CMS v3.2.1, including reflected XSS, stored XSS via SVG upload, RCE through PHP file upload, and server file override. The PoC includes detailed HTTP requests and responses for each vulnerability.

Classification

Working Poc 95%

Attack Type

Xss | Rce | Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: e107 CMS v3.2.1

Auth required

Prerequisites: Authenticated user access · Admin privileges for file upload exploits

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory, VDB Entry exploit

https://www.exploit-db.com/exploits/50910

Product product

https://e107.org/

Product product

https://e107.org/download

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/e-cms-admin-upload-restriction-bypass-stored-xss

Scores

CVSS v3 4.8

EPSS 0.0035

EPSS Percentile 27.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

e107/e107 3.2.1

e107/e107 CMS 3.2.1

Published Jan 13, 2026

Tracked Since Feb 18, 2026