Description
Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=add_post parameter, and the uploaded files are executed by the server.
Published: 2026-05-10
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Aero CMS 0.0.1 contains a PHP code injection flaw that lets authenticated attackers run arbitrary PHP code by uploading malicious files through the image parameter on the admin posts.php page. The flaw is triggered when a user adds a post via the source=add_post parameter; the uploaded file is saved and executed by the server. This allows an attacker who can authenticate as an administrator to gain remote code execution on the web server.

Affected Systems

The affected product is MegaTKC Aero CMS version 0.0.1. No other versions are mentioned, so any deployments running this release are vulnerable.

Risk and Exploitability

The CVSS base score is 8.7, indicating a high‑severity threat. There is no EPSS score available, which means we cannot quantify the current exploitation probability. The vulnerability is not listed in CISA's KEV, so no known exploits have been reported to that database. Because the flaw requires authentication to the admin area, the attack vector is remote via the web interface but depends on the attacker having valid admin credentials. Once authenticated, the attacker can upload a file that is later processed and executed by the server, granting full control over the application and server.

Generated by OpenCVE AI on May 10, 2026 at 13:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Aero CMS to a patched version that removes the PHP code injection flaw, if such a release exists.
  • If an official patch is unavailable, restrict the uploads directory to disallow execution of uploaded PHP files, for example by setting proper filesystem permissions or disabling PHP in that directory.
  • Implement a content filter that blocks uploaded files containing PHP opening tags (e.g., <?php) or other code‑execution indicators, and enforce file‑type validation to allow only image formats.

Generated by OpenCVE AI on May 10, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 10 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Megatkc
Megatkc aero Cms
Vendors & Products Megatkc
Megatkc aero Cms

Sun, 10 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=add_post parameter, and the uploaded files are executed by the server.
Title Aero CMS 0.0.1 PHP Code Injection via posts.php
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Megatkc Aero Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T13:24:26.060Z

Reserved: 2026-01-11T13:34:26.331Z

Link: CVE-2022-50944

cve-icon Vulnrichment

Updated: 2026-05-11T13:15:19.791Z

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:32.137

Modified: 2026-05-10T13:16:32.137

Link: CVE-2022-50944

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T13:30:12Z

Weaknesses