CVE-2022-50912

CRITICAL

ImpressCMS 1.4.4 - Unrestricted File Upload via Weak Extension Sanitization Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-50912. PoCs published by Ünsal Furkan Harani.

AI-analyzed exploit summary The analysis describes a file upload vulnerability in ImpressCMS v1.4.4 due to a weak blacklist method in the 'extensionsToBeSanitized' function, allowing bypass via extensions like .php2, .php6, etc. The writeup provides specific technical details about the affected function and vulnerable extensions.

Description

ImpressCMS 1.4.4 contains a file upload vulnerability with weak extension sanitization that allows attackers to upload potentially malicious files. Attackers can bypass file upload restrictions by using alternative file extensions .php2.php6.php7.phps.pht to execute arbitrary PHP code on the server.

Exploits (1)

exploitdb WRITEUP
by Ünsal Furkan Harani · textwebappsphp
https://www.exploit-db.com/exploits/50890

The analysis describes a file upload vulnerability in ImpressCMS v1.4.4 due to a weak blacklist method in the 'extensionsToBeSanitized' function, allowing bypass via extensions like .php2, .php6, etc. The writeup provides specific technical details about the affected function and vulnerable extensions.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ImpressCMS v1.4.4
No auth needed
Prerequisites: Access to file upload functionality
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory, VDB Entry exploit
https://www.exploit-db.com/exploits/50890
Product product
https://www.impresscms.org/

Scores

CVSS v3 9.8
EPSS 0.0098
EPSS Percentile 57.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-434
Status published
Products (1)
impresscms/impresscms 1.4.4
Published Jan 13, 2026
Tracked Since Feb 18, 2026