CVE-2022-50916

HIGH

e107 CMS 3.2.1 - Authenticated Arbitrary File Write via Media Manager Import URL Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-50916. PoCs published by Hubert Wojciechowski.

AI-analyzed exploit summary This exploit demonstrates multiple vulnerabilities in e107 CMS v3.2.1, including reflected XSS, stored XSS via SVG upload, RCE through PHP file upload, and server file override. The PoC includes detailed HTTP requests and responses for each vulnerability.

Description

e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrators to override server files through the Media Manager import functionality. Attackers can exploit the upload mechanism by manipulating the upload URL parameter to overwrite existing files like top.php in the web application directory.

Exploits (1)

exploitdb WORKING POC

by Hubert Wojciechowski · textwebappsphp

https://www.exploit-db.com/exploits/50910

View Code ZIP pw:eip

This exploit demonstrates multiple vulnerabilities in e107 CMS v3.2.1, including reflected XSS, stored XSS via SVG upload, RCE through PHP file upload, and server file override. The PoC includes detailed HTTP requests and responses for each vulnerability.

Classification

Working Poc 95%

Attack Type

Xss | Rce | Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: e107 CMS v3.2.1

Auth required

Prerequisites: Authenticated user access · Admin privileges for file upload exploits

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory, VDB Entry exploit

https://www.exploit-db.com/exploits/50910

Product product

https://e107.org/

Product product

https://e107.org/download

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/e-cms-upload-restriction-bypass-authenticated-admin-server-file-override

Scores

CVSS v3 7.2

EPSS 0.0080

EPSS Percentile 51.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (2)

e107/e107 3.2.1

e107/e107 CMS 3.2.1

Published Jan 13, 2026

Tracked Since Feb 18, 2026