CVE-2022-50912

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-50912
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50912.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-50912
Published
2026-01-13T23:15:54.350Z
Modified
2026-03-11T14:28:47.854583Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

ImpressCMS 1.4.4 contains a file upload vulnerability with weak extension sanitization that allows attackers to upload potentially malicious files. Attackers can bypass file upload restrictions by using alternative file extensions .php2.php6.php7.phps.pht to execute arbitrary PHP code on the server.

References

Affected packages

Git / github.com/impresscms/impresscms

Affected ranges

Type
GIT
Repo
https://github.com/impresscms/impresscms
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
e1fa101a7db84e0982b22b485ee06ae9ddf3af69
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.4.4"
        }
    ]
}

Affected versions

1.*
1.3.10-beta
1.3.8
1.3.8-beta
1.3.9
1.3.9_rc
1.4.1
impresscms_1.*
impresscms_1.3.3
impresscms_1.3.4
v1.*
v1.3.10
v1.3.11
v1.3.11-beta
v1.3.11-beta2
v1.3.11-rc
v1.3.11-rc2
v1.3.8
v1.4.0
v1.4.0-alpha
v1.4.0-alpha.2
v1.4.0-beta
v1.4.0-rc
v1.4.1_beta
v1.4.2
v1.4.2_bis
v1.4.2_rc
v1.4.3
v1.4.3-rc
v1.4.3-rc2
v1.4.4

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50912.json"