Aggregates CVE and security vulnerability intelligence across all E107-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk csrf and vendor risk path handling and related problems; some flaws may lead to vendor impact file overwrite, affecting vendor surface software deployment scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2022-50939 | e107 CMS version 3.2.1 contains a critical file upload vulnerability that allows authenticated administrators to override arbitrary server files through path traversal. The vulnerability exists in the Media Manager's remote URL upload functionality (image.php) where the upload_caption parameter is not properly sanitized. An attacker with administrative privileges can use directory traversal sequences (../../../) in the upload_caption field to overwrite critical system files outside the intended | [email protected] | 8.6 | 1.09% | 2026-01-13 | 2026-01-20 |
| CVE-2022-50916 | e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrators to override server files through the Media Manager import functionality. Attackers can exploit the upload mechanism by manipulating the upload URL parameter to overwrite existing files like top.php in the web application directory. | [email protected] | 8.7 | 0.80% | 2026-01-13 | 2026-01-16 |
| CVE-2022-50907 | e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upload restrictions and execute PHP files. Attackers can upload malicious PHP files to parent directories by manipulating the upload URL parameter, enabling remote code execution through the Media Manager import feature. | [email protected] | 8.6 | 1.05% | 2026-01-13 | 2026-01-16 |
| CVE-2022-50906 | e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload malicious SVG files through the media manager. Attackers with admin privileges can exploit this vulnerability to upload SVG files with embedded cross-site scripting (XSS) payloads that can execute arbitrary scripts when viewed. | [email protected] | 4.8 | 0.35% | 2026-01-13 | 2026-01-16 |
| CVE-2022-50905 | e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting (XSS) attacks. The first vulnerability is a reflected XSS that occurs in the news comment functionality when authenticated users interact with the comment form. An attacker can inject malicious JavaScript code through the URL parameter that gets executed when users click outside the comment field after typing content. The second vulnerability involves an upload restriction bypass for authenticated administra | [email protected] | 9.8 | 0.57% | 2026-01-13 | 2026-01-21 |
| CVE-2025-11941 | A vulnerability was detected in e107 CMS up to 2.3.3. This impacts an unknown function of the file /e107_admin/image.php?mode=main&action=avatar of the component Avatar Handler. Performing manipulation of the argument multiaction[] results in path traversal. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 2.1 | 0.76% | 2025-10-19 | 2026-04-29 |
| CVE-2025-61505 | e107 CMS thru 2.3.3 are vulnerable to insecure deserialization in the `install.php` script. The script processes user-controlled input in the `previous_steps` POST parameter using `unserialize(base64_decode())` without validation, allowing attackers to craft malicious serialized data. This could lead to remote code execution, arbitrary file operations, or denial of service, depending on available PHP object gadgets in the codebase. | [email protected] | 6.5 | 0.33% | 2025-10-10 | 2026-01-12 |
| CVE-2023-43874 | Multiple Cross Site Scripting (XSS) vulnerability in e017 CMS v.2.3.2 allows a local attacker to execute arbitrary code via a crafted script to the Copyright and Author fields in the Meta & Custom Tags Menu. | [email protected] | 5.4 | 0.63% | 2023-09-28 | 2024-11-21 |
| CVE-2023-43873 | A Cross Site Scripting (XSS) vulnerability in e017 CMS v.2.3.2 allows a local attacker to execute arbitrary code via a crafted script to the Name filed in the Manage Menu. | [email protected] | 5.4 | 0.46% | 2023-09-28 | 2024-11-21 |
| CVE-2023-36121 | Cross Site Scripting vulnerability in e107 v.2.3.2 allows a remote attacker to execute arbitrary code via the description function in the SEO project. | [email protected] | 5.4 | 1.07% | 2023-08-02 | 2024-11-21 |
| CVE-2021-27885 | usersettings.php in e107 through 2.3.0 lacks a certain e_TOKEN protection mechanism. | [email protected] | 8.8 | 3.21% | 2021-03-02 | 2024-11-21 |
| CVE-2018-11734 | In e107 v2.1.7, output without filtering results in XSS. | [email protected] | 6.1 | 0.78% | 2019-07-10 | 2024-11-21 |
| CVE-2018-17423 | An issue was discovered in e107 v2.1.9. There is a XSS attack on e107_admin/comment.php. | [email protected] | 4.8 | 0.74% | 2019-06-19 | 2024-11-21 |
| CVE-2016-10753 | e107 2.1.2 allows PHP Object Injection with resultant SQL injection, because usersettings.php uses unserialize without an HMAC. | [email protected] | 8.8 | 1.68% | 2019-05-24 | 2024-11-21 |
| CVE-2018-17081 | e107 2.1.9 allows CSRF via e107_admin/wmessage.php?mode=&action=inline&ajax_used=1&id= for changing the title of an arbitrary page. | [email protected] | 4.3 | 0.58% | 2018-09-26 | 2024-11-21 |
| CVE-2018-16389 | e107_admin/banlist.php in e107 2.1.8 allows SQL injection via the old_ip parameter. | [email protected] | 6.5 | 1.15% | 2018-09-12 | 2024-11-21 |
| CVE-2018-16388 | e107_web/js/plupload/upload.php in e107 2.1.8 allows remote attackers to execute arbitrary PHP code by uploading a .php filename with the image/jpeg content type. | [email protected] | 7.2 | 2.19% | 2018-09-12 | 2024-11-21 |
| CVE-2018-16381 | e107 2.1.8 has XSS via the e107_admin/users.php?mode=main&action=list user_loginname parameter. | [email protected] | 6.1 | 0.71% | 2018-09-05 | 2024-11-21 |
| CVE-2018-15901 | e107 2.1.8 has CSRF in 'usersettings.php' with an impact of changing details such as passwords of users including administrators. | [email protected] | 8.8 | 0.56% | 2018-08-28 | 2024-11-21 |
| CVE-2018-11127 | e107 2.1.7 has CSRF resulting in arbitrary user deletion. | [email protected] | 6.5 | 0.53% | 2018-05-15 | 2024-11-21 |