CVE-2022-50806
Remote Command Execution in 4images 1.9 via Template Injection
Publication date: 2026-01-13
Last updated on: 2026-02-02
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 4images | 4images | 1.9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2022-50806 is a remote command execution vulnerability in 4images version 1.9. It allows an authenticated administrator to inject malicious reverse shell code into template files through the template editing functionality. Once the malicious code is saved in a template, an attacker can execute arbitrary commands on the server by accessing a specific categories.php endpoint with a crafted cat_id parameter. This happens because the application does not properly sanitize or validate the template content, enabling remote code execution via template injection. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with administrative access to execute arbitrary commands on the affected server remotely. By injecting a reverse shell payload into template files, the attacker can gain shell access with the privileges of the daemon user, potentially leading to full system compromise, data theft, or further attacks within the network. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if unauthorized or suspicious modifications have been made to template files via the admin interface, especially the 'categories.html' template in the 'default_960px' template pack. Monitoring HTTP POST requests to '/4images/admin/templates.php' with parameters related to 'savetemplate' action and unusual content payloads can indicate exploitation attempts. Additionally, you can look for access to URLs like '/4images/categories.php?cat_id=1' that trigger the injected code. To detect active exploitation, you can monitor for reverse shell connections, for example by running a netcat listener with the command: nc -kvlp 4444. Also, reviewing web server logs for POST requests to the template editing endpoint and GET requests to the categories.php endpoint with crafted parameters can help identify attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting administrative access to trusted users only, ensuring strong authentication mechanisms are in place, and monitoring for suspicious template edits. Disable or restrict the template editing functionality if possible until a patch or update is applied. Review and sanitize inputs in the template editing interface to prevent code injection. Additionally, monitor network traffic for unusual connections such as reverse shells and consider setting up firewall rules to block unexpected outbound connections. Applying any available patches or updates from the 4images software provider is also critical. [1, 2]