CVE-2026-48997: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in e107inc e107
e107 CMS versions 2.3.5 and earlier have a command injection vulnerability in the ImageMagick resize destination path. The vulnerability arises because the destination filename includes user-controlled input that is not properly neutralized, allowing shell command injection under specific configuration settings. Exploitation requires multiple non-default settings to be enabled and a non-admin attacker with certain permissions. This issue is fixed in version 2.3.6.
AI Analysis
Technical Summary
The e107 content management system (CMS) versions 2.3.5 and earlier contain an OS command injection vulnerability (CWE-78) in the ImageMagick resize functionality. Specifically, in the resize_image() function, the source path is escaped properly, but the destination path is inserted inside raw double quotes in the convert command. The destination filename includes the first six characters of user-controlled news title input, which can contain tab characters and shell expansions like $(...) or backticks that survive the quoting. This allows /bin/sh -c to evaluate attacker-controlled input, leading to command injection. Exploitation is only possible when multiple non-default settings are enabled (resize_method=ImageMagick, subnews_attach=1, upload_enabled=1, subnews_resize numeric between 30 and 5000) and the attacker is a non-admin user permitted by subnews_class and upload_class. The vulnerability is fixed in version 2.3.6.
Potential Impact
Successful exploitation can lead to arbitrary command execution on the server with the privileges of the web application process. The CVSS 3.1 score is 7.1 (high), reflecting low attack complexity but requiring specific configuration and privileges. The impact includes potential confidentiality loss, integrity compromise, and availability disruption due to command injection.
Mitigation Recommendations
Upgrade to e107 version 2.3.6 or later, where this vulnerability is fixed. There is no official patch or temporary fix mentioned other than upgrading. Until upgraded, ensure the vulnerable configuration settings (resize_method=ImageMagick, subnews_attach=1, upload_enabled=1, subnews_resize between 30 and 5000) are not all enabled simultaneously, or restrict non-admin user permissions to prevent exploitation.
CVE-2026-48997: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in e107inc e107
Description
e107 CMS versions 2.3.5 and earlier have a command injection vulnerability in the ImageMagick resize destination path. The vulnerability arises because the destination filename includes user-controlled input that is not properly neutralized, allowing shell command injection under specific configuration settings. Exploitation requires multiple non-default settings to be enabled and a non-admin attacker with certain permissions. This issue is fixed in version 2.3.6.
CVSS v3.1
Score 7.1high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The e107 content management system (CMS) versions 2.3.5 and earlier contain an OS command injection vulnerability (CWE-78) in the ImageMagick resize functionality. Specifically, in the resize_image() function, the source path is escaped properly, but the destination path is inserted inside raw double quotes in the convert command. The destination filename includes the first six characters of user-controlled news title input, which can contain tab characters and shell expansions like $(...) or backticks that survive the quoting. This allows /bin/sh -c to evaluate attacker-controlled input, leading to command injection. Exploitation is only possible when multiple non-default settings are enabled (resize_method=ImageMagick, subnews_attach=1, upload_enabled=1, subnews_resize numeric between 30 and 5000) and the attacker is a non-admin user permitted by subnews_class and upload_class. The vulnerability is fixed in version 2.3.6.
Potential Impact
Successful exploitation can lead to arbitrary command execution on the server with the privileges of the web application process. The CVSS 3.1 score is 7.1 (high), reflecting low attack complexity but requiring specific configuration and privileges. The impact includes potential confidentiality loss, integrity compromise, and availability disruption due to command injection.
Mitigation Recommendations
Upgrade to e107 version 2.3.6 or later, where this vulnerability is fixed. There is no official patch or temporary fix mentioned other than upgrading. Until upgraded, ensure the vulnerable configuration settings (resize_method=ImageMagick, subnews_attach=1, upload_enabled=1, subnews_resize between 30 and 5000) are not all enabled simultaneously, or restrict non-admin user permissions to prevent exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-26T23:26:07.976Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a33168ef198dc38c1148dc0
Added to database: 6/17/2026, 9:50:06 PM
Last enriched: 6/17/2026, 10:05:32 PM
Last updated: 6/18/2026, 4:27:38 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.