CVE-2022-50893
Unknown Unknown - Not Provided
Unauthenticated Remote Code Execution in VIAVIWEB Wallpaper Admin Upload

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: VulnCheck

Description
VIAVIWEB Wallpaper Admin 1.0 contains an unauthenticated remote code execution vulnerability in the image upload functionality. Attackers can upload a malicious PHP file through the add_gallery_image.php endpoint to execute arbitrary code on the server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-14
NVD
CVE-2022-50893
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
viaviweb wallpaper_admin 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2022-50893 is a critical vulnerability in VIAVIWEB Wallpaper Admin 1.0 that allows unauthenticated remote code execution. Attackers can exploit the image upload functionality by uploading a malicious PHP file through the add_gallery_image.php endpoint. This lets them execute arbitrary code on the server without needing any privileges or user interaction. [1, 3]

Impact Analysis

This vulnerability can have severe impacts including full compromise of the affected server. Since attackers can execute arbitrary code remotely without authentication, they can potentially take control of the server, access sensitive data, modify or delete information, disrupt services, and use the server as a foothold for further attacks. [1, 3]

Detection Guidance

This vulnerability can be detected by attempting to upload a PHP file disguised as an image to the add_gallery_image.php endpoint with the parameter add=yes. A test command using curl could be constructed to POST a multipart/form-data request containing a PHP payload (e.g., <?php phpinfo(); ?>) to the endpoint and then checking if the uploaded file is accessible and executable on the server under the categories/ directory. For example, using curl to upload a file named poc.php and then accessing it via HTTP to verify execution. Additionally, monitoring network traffic for POST requests to add_gallery_image.php with suspicious file uploads can help detect exploitation attempts. [3]

Mitigation Strategies

Immediate mitigation steps include disabling or restricting the image upload functionality at the add_gallery_image.php endpoint, especially the ability to upload PHP or other executable files. Implement strict server-side validation to allow only legitimate image file types and reject any files containing executable code. Applying web application firewall (WAF) rules to block suspicious upload attempts and restricting access to the upload endpoint can also help. Additionally, updating or patching the VIAVIWEB Wallpaper Admin application if a fix is available is recommended. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50893. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart