CVE-2026-48997
HighCVSS 7.1Exploitation Probability (EPSS)
Elevated risk50th percentile — higher than 50% of all known CVEs
Summary
e107 is a content management system (CMS), versions 2.3.5 and earlier contain a command injection vulnerability in the ImageMagick resize destination path. In the resize_image() function, the source path is properly escaped, but the destination path is inserted inside raw double quotes, allowing an attacker to inject malicious code.
Risk Assessment
This vulnerability could lead to the execution of arbitrary system commands by an attacker, posing a serious threat to the security of the system and the organization's data. Exploitation of this vulnerability is only possible under specific configuration conditions.
Recommendation
It is recommended to upgrade to version 2.3.6, where this vulnerability has been fixed. Additionally, consider reviewing and restricting user permissions to minimize the risk of exploitation.
Original NVD description (English source)
e107 is a content management system (CMS). Versions 2.3.5 and earlier contain a command injection vulnerability in the ImageMagick resize destination path. In resize_image(), the source path is escaped with escapeshellarg(), but the destination path is inserted inside raw double quotes in the convert command; in the submit-news upload flow, that destination filename includes the first six characters of user-controlled news title input. Because the title filter removes literal spaces but not tab characters, and shell expansions such as $(...) and backticks can survive into the quoted destination argument, /bin/sh -c may evaluate attacker-controlled input. Exploitation is possible only when all of the following non-default settings are enabled: resize_method=ImageMagick, subnews_attach=1, upload_enabled=1, subnews_resize is numeric between 30 and 5000, and the attacker is a non-admin in classes permitted by both subnews_class and upload_class. This issue has been fixed in version 2.3.6.

