Cross-Site Scripting Vulnerabilities in e107 CMS by e107
CVE-2022-50905

5.1MEDIUM

Key Information:

Vendor: E107
Status: E107 Cms
Vendor: CVE Published:; 13 January 2026

Badges

👾 Exploit Exists

What is CVE-2022-50905?

e107 CMS version 3.2.1 is vulnerable to multiple cross-site scripting (XSS) flaws. The first flaw allows attackers to perform reflected XSS attacks via the news comment functionality, where malicious JavaScript can be injected using URL parameters. When authenticated users engage with the comment form, the payload executes upon interaction outside the comment field. The second vulnerability permits authenticated administrators to bypass file upload restrictions, enabling the upload of SVG files that can contain harmful scripts. Accessing these uploaded SVG files leads to stored XSS attacks. These vulnerabilities could significantly compromise the security of websites using this version of e107 CMS.

Affected Version(s)

e107 CMS 3.2.1

References

https://www.exploit-db.com/exploits/50910

exploit

https://e107.org/

product

https://e107.org/download

product

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jan 13, 2026
👾
Exploit known to exist
Jan 13, 2026
Vulnerability published
Jan 13, 2026
Vulnerability Reserved
Jan 11, 2026

Credit

Hubert Wojciechowski

CVE-2022-50905 Data

JSON

E107

Badges

What is CVE-2022-50905?

Affected Version(s)

References

CVSS V4

Timeline

Credit