CVE-2022-50912 PUBLISHED

ImpressCMS 1.4.4 - Unrestricted File Upload

Assigner: VulnCheck
Reserved: 11.01.2026 Published: 13.01.2026 Updated: 05.03.2026

ImpressCMS 1.4.4 contains a file upload vulnerability with weak extension sanitization that allows attackers to upload potentially malicious files. Attackers can bypass file upload restrictions by using alternative file extensions .php2.php6.php7.phps.pht to execute arbitrary PHP code on the server.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor ImpressCMS
Product ImpressCMS
Versions
  • Version 1.4.4 is affected

Credits

  • Ünsal Furkan Harani (Zemarkhos) finder

References

Problem Types

  • Unrestricted Upload of File with Dangerous Type CWE