4images 1.9 - Remote Command Execution (RCE) | Advisories

Advisories

4images 1.9 - Remote Command Execution (RCE)

severity: high
date: January 13, 2026
Affecting: 4images 1.9
CVE: CVE-2022-50806
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
CVSS: 8.6
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-51147
Official 4images Software Download Page
Credit: Andrey Stoykov
Description: 4images 1.9 contains a remote command execution vulnerability that allows authenticated administrators to inject reverse shell code through template editing functionality. Attackers can save malicious code in the template and execute arbitrary commands by accessing a specific categories.php endpoint with a crafted cat_id parameter.