CVE-2022-50912
CRITICAL WAF: Medium
CVSS 9.8
Published: 2026-01-13
CWE-434
ImpressCMS 1.4.4 contains a file upload vulnerability with weak extension sanitization that allows attackers to upload potentially malicious files. Attackers can bypass file upload restrictions by using alternative file extensions .php2.php6.php7.phps.pht to execute arbitrary PHP code on the server.
WAF Coverage Analysis
Unrestricted File Upload
Medium WAF Coverage
OWASP: A04:2021 Insecure Design
930xxx - Local File Inclusion
Affected Software
| Vendor | Product | Version |
|---|---|---|
| impresscms | impresscms | 1.4.4 |
References
- github.com (Product)
- www.exploit-db.com (Exploit, Third Party Advisory, VDB Entry)
- www.impresscms.org (Product)
- www.vulncheck.com (Third Party Advisory)