CVE-2022-50939

HIGH

e107 CMS <3.2.1 - Path Traversal

Title source: llm

Description

e107 CMS version 3.2.1 contains a critical file upload vulnerability that allows authenticated administrators to override arbitrary server files through path traversal. The vulnerability exists in the Media Manager's remote URL upload functionality (image.php) where the upload_caption parameter is not properly sanitized. An attacker with administrative privileges can use directory traversal sequences (../../../) in the upload_caption field to overwrite critical system files outside the intended upload directory. This can lead to complete compromise of the web application by overwriting configuration files, executable scripts, or other critical system components. The vulnerability was discovered by Hubert Wojciechowski and affects the image.php component in the admin interface.

Exploits (1)

exploitdb WORKING POC
by Hubert Wojciechowski · textwebappsphp
https://www.exploit-db.com/exploits/50910

References (4)

Scores

CVSS v3 7.2
EPSS 0.0070
EPSS Percentile 72.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-22 CWE-434
Status published
Products (2)
e107/e107 3.2.1
E107/e107 CMS 3.2.1
Published Jan 13, 2026
Tracked Since Feb 18, 2026