CVE-2022-50912

CriticalPublic PoC

Published: 13 January 2026

Published

13 January 2026

Modified

03 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0020 41.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

ImpressCMS 1.4.4 contains a file upload vulnerability with weak extension sanitization that allows attackers to upload potentially malicious files. Attackers can bypass file upload restrictions by using alternative file extensions .php2.php6.php7.phps.pht to execute arbitrary PHP code on the server.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of file upload inputs for expected content, format, and type to prevent bypass of extension sanitization with dangerous PHP variants.

SI-9 Information Input Restrictions good match

prevent

Restricts file uploads to only authorized safe types and sources, blocking submission of files with alternative PHP-executable extensions like .php2 or .pht.

SI-3 Malicious Code Protection good match

preventdetect

Deploys malicious code protection mechanisms at web server entry points to scan and block uploaded PHP payloads before execution.

Security SummaryAI

CVE-2022-50912 affects ImpressCMS version 1.4.4 and involves a file upload vulnerability stemming from weak extension sanitization. This flaw enables attackers to upload potentially malicious files by bypassing restrictions through alternative extensions such as .php2, .php6, .php7, .phps, or .pht, ultimately allowing execution of arbitrary PHP code on the server. The vulnerability carries a CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).

The attack scenario targets the file upload functionality accessible over the network, exploitable by unauthenticated remote attackers without requiring user interaction. Successful exploitation permits attackers to upload and execute malicious PHP payloads, achieving high-impact confidentiality, integrity, and availability compromises, such as server takeover or code execution in the context of the web server.

Reference advisories include the VulnCheck advisory at https://www.vulncheck.com/advisories/impresscms-unrestricted-file-upload, ImpressCMS GitHub at https://github.com/ImpressCMS/impresscms, the official site at https://www.impresscms.org/, and a public exploit at https://www.exploit-db.com/exploits/50890. Practitioners should review these sources for mitigation details and available patches.

Details

CWE(s): CWE-434

Affected Products

impresscms

1.4.4

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

The vulnerability is an unrestricted file upload in a public-facing web application (ImpressCMS CMS), directly enabling T1190 (Exploit Public-Facing Application) for unauthenticated remote code execution. It facilitates uploading and executing arbitrary PHP code, commonly as a web shell (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/ImpressCMS/impresscms
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/50890
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.impresscms.org/
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/impresscms-unrestricted-file-upload
Third Party Advisory · disclosure@vulncheck.com