CVE-2026-48997
Received Received - Intake
Command Injection in e107 CMS via ImageMagick Resize

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
e107 is a content management system (CMS). Versions 2.3.5 and earlier contain a command injection vulnerability in the ImageMagick resize destination path. In resize_image(), the source path is escaped with escapeshellarg(), but the destination path is inserted inside raw double quotes in the convert command; in the submit-news upload flow, that destination filename includes the first six characters of user-controlled news title input. Because the title filter removes literal spaces but not tab characters, and shell expansions such as $(...) and backticks can survive into the quoted destination argument, /bin/sh -c may evaluate attacker-controlled input. Exploitation is possible only when all of the following non-default settings are enabled: resize_method=ImageMagick, subnews_attach=1, upload_enabled=1, subnews_resize is numeric between 30 and 5000, and the attacker is a non-admin in classes permitted by both subnews_class and upload_class. This issue has been fixed in version 2.3.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-48997
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
e107 e107 to 2.3.6 (exc)
e107 e107 2.3.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in e107, a content management system, specifically in versions 2.3.5 and earlier. It is a command injection flaw related to the ImageMagick resize destination path. While the source path is properly escaped, the destination path is inserted inside raw double quotes in the convert command. The destination filename includes the first six characters of user-controlled news title input, which can contain tab characters and shell expansions like $(...) or backticks that are not filtered out. This allows an attacker to inject and execute arbitrary shell commands via /bin/sh -c.

Exploitation requires several non-default settings to be enabled, including resize_method=ImageMagick, subnews_attach=1, upload_enabled=1, subnews_resize set to a numeric value between 30 and 5000, and the attacker must be a non-admin user in classes allowed by both subnews_class and upload_class. The issue was fixed in version 2.3.6.

Impact Analysis

This vulnerability can allow an attacker with limited privileges (non-admin user in certain classes) to execute arbitrary commands on the server hosting the e107 CMS. This can lead to unauthorized actions such as modifying or deleting data, escalating privileges, or compromising the server's integrity and availability.

Mitigation Strategies

To mitigate this vulnerability, upgrade e107 to version 2.3.6 or later where the issue has been fixed.

Additionally, consider disabling or changing the following non-default settings that enable exploitation: resize_method=ImageMagick, subnews_attach=1, upload_enabled=1, and ensure subnews_resize is not set between 30 and 5000.

Restrict upload and subnews permissions to trusted users only, especially limiting non-admin users in classes permitted by subnews_class and upload_class.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48997. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart