e107 CMS v3.2.1 - Admin Upload Restriction Bypass + Stored XSS | Advisories

Advisories

e107 CMS v3.2.1 - Admin Upload Restriction Bypass + Stored XSS

severity: medium
date: January 13, 2026
Affecting: e107 CMS 3.2.1
CVE: CVE-2022-50906
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS: 4.8
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
References: ExploitDB-50910
Official Vendor Homepage
Software Download Page
Credit: Hubert Wojciechowski
Description: e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload malicious SVG files through the media manager. Attackers with admin privileges can exploit this vulnerability to upload SVG files with embedded cross-site scripting (XSS) payloads that can execute arbitrary scripts when viewed.