CVE-2022-50907

HIGH

e107 CMS <3.2.1 - Authenticated RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-50907. PoCs published by Hubert Wojciechowski.

AI-analyzed exploit summary This exploit demonstrates multiple vulnerabilities in e107 CMS v3.2.1, including reflected XSS, stored XSS via SVG upload, RCE through PHP file upload, and server file override. The PoC includes detailed HTTP requests and responses for each vulnerability.

Description

e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upload restrictions and execute PHP files. Attackers can upload malicious PHP files to parent directories by manipulating the upload URL parameter, enabling remote code execution through the Media Manager import feature.

Exploits (1)

exploitdb WORKING POC
by Hubert Wojciechowski · textwebappsphp
https://www.exploit-db.com/exploits/50910

This exploit demonstrates multiple vulnerabilities in e107 CMS v3.2.1, including reflected XSS, stored XSS via SVG upload, RCE through PHP file upload, and server file override. The PoC includes detailed HTTP requests and responses for each vulnerability.

Classification
Working Poc 95%
Attack Type
Xss | Rce | Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: e107 CMS v3.2.1
Auth required
Prerequisites: Authenticated user access · Admin privileges for file upload exploits
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory, VDB Entry exploit
https://www.exploit-db.com/exploits/50910
Product product
https://e107.org/
Product product
https://e107.org/download

Scores

CVSS v3 7.2
EPSS 0.0105
EPSS Percentile 59.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-434
Status published
Products (2)
e107/e107 3.2.1
e107/e107 CMS 3.2.1
Published Jan 13, 2026
Tracked Since Feb 18, 2026