CVE-2022-50905

MEDIUM 6.1

e107 CMS v3.2.1 - Reflected XSS via Comment Flow

CVSS Score

6.1

EPSS Score

0.0%

EPSS Percentile

0th

e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting (XSS) attacks. The first vulnerability is a reflected XSS that occurs in the news comment functionality when authenticated users interact with the comment form. An attacker can inject malicious JavaScript code through the URL parameter that gets executed when users click outside the comment field after typing content. The second vulnerability involves an upload restriction bypass for authenticated administrators, allowing them to upload SVG files containing malicious code through the media manager's remote URL upload feature. This results in stored XSS when the uploaded SVG files are accessed. These vulnerabilities were discovered by Hubert Wojciechowski and affect the news.php and image.php components of the CMS.

CWE	CWE-79
Vendor	e107
Product	e107 cms
Published	Jan 13, 2026
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for e107 e107 cms

Be the first to know when new medium vulnerabilities affecting e107 e107 cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

e107 / e107 CMS

3.2.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/50910 e107.org: https://e107.org/ e107.org: https://e107.org/download vulncheck.com: https://www.vulncheck.com/advisories/e-cms-reflected-xss-via-comment-flow

Credits

Hubert Wojciechowski