Command Injection Vulnerability in e107 CMS by e107 Inc.
CVE-2026-48997

7.1HIGH

Key Information:

Vendor: E107inc
Status: E107
Vendor: CVE Published:; 17 June 2026

What is CVE-2026-48997?

The e107 content management system (CMS) suffers from a command injection vulnerability due to improper handling of user-controlled input in the ImageMagick resize destination path. Specifically, versions 2.3.5 and earlier improperly escape the destination filename in the resize_image() function, leading to potential execution of arbitrary commands. Exploitation can occur under certain configurations, allowing non-admin users to manipulate news title inputs, which are included in the command line without proper validation. It is crucial to update to version 2.3.6 or later to mitigate this security risk.

Affected Version(s)

e107 < 2.3.6

References

https://github.com/e107inc/e107/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/e107inc/e107/releases/tag/v2.3.6

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
May 26, 2026

CVE-2026-48997 Data

JSON

E107inc

What is CVE-2026-48997?

Affected Version(s)

References

CVSS V3.1

Timeline