Description
e107 is a content management system (CMS). Versions 2.3.5 and earlier contain a command injection vulnerability in the ImageMagick resize destination path. In resize_image(), the source path is escaped with escapeshellarg(), but the destination path is inserted inside raw double quotes in the convert command; in the submit-news upload flow, that destination filename includes the first six characters of user-controlled news title input. Because the title filter removes literal spaces but not tab characters, and shell expansions such as $(...) and backticks can survive into the quoted destination argument, /bin/sh -c may evaluate attacker-controlled input. Exploitation is possible only when all of the following non-default settings are enabled: resize_method=ImageMagick, subnews_attach=1, upload_enabled=1, subnews_resize is numeric between 30 and 5000, and the attacker is a non-admin in classes permitted by both subnews_class and upload_class. This issue has been fixed in version 2.3.6.
Published: 2026-06-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

e107 CMS versions 2.3.5 and earlier contain a command‑injection flaw in the ImageMagick image‑resize routine. The source file path is escaped, but the destination file path is inserted directly inside double quotes in an unfiltered shell command. The destination filename is derived from the first six characters of a user‑controlled news title; because the title filter removes spaces but not tabs, shell expansion sequences such as $(…) or backticks can survive and be interpreted by /bin/sh in the convert command. This allows an attacker to execute arbitrary OS commands through the web interface.

Affected Systems

All e107 CMS installations from e107 Inc running version 2.3.5 or older that are configured with resize_method set to ImageMagick, subnews_attach enabled, upload_enabled enabled, subnews_resize set to a numeric value between 30 and 5000, and where the attacker belongs to user classes allowed by both subnews_class and upload_class. The vulnerability is mitigated in version 2.3.6 and later.

Risk and Exploitability

The vulnerability has a CVSS score of 7.1, indicating medium‑high impact. The EPSS score of less than 1% suggests that exploitation is currently rare, and the issue is not listed in the CISA KEV catalog. Based on the description, the attack vector is inferred to be remote via the public web interface and can grant remote code execution to a non‑admin user, providing a powerful foothold for further compromise. System owners should treat this as a high‑priority risk if the vulnerable upload and resize features are active.

Generated by OpenCVE AI on June 18, 2026 at 20:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the e107 CMS to version 2.3.6 or later.
  • If an upgrade is not immediately possible, disable the subnews_attach option, set upload_enabled to 0, or change resize_method to a non‑ImageMagick value.
  • Restrict the user classes allowed to upload news entries so that only trusted users can use the affected functionality.
  • Regularly consult the e107 Inc. website or update channel for security advisories and updates.

Generated by OpenCVE AI on June 18, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared E107
E107 e107
Vendors & Products E107
E107 e107

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description e107 is a content management system (CMS). Versions 2.3.5 and earlier contain a command injection vulnerability in the ImageMagick resize destination path. In resize_image(), the source path is escaped with escapeshellarg(), but the destination path is inserted inside raw double quotes in the convert command; in the submit-news upload flow, that destination filename includes the first six characters of user-controlled news title input. Because the title filter removes literal spaces but not tab characters, and shell expansions such as $(...) and backticks can survive into the quoted destination argument, /bin/sh -c may evaluate attacker-controlled input. Exploitation is possible only when all of the following non-default settings are enabled: resize_method=ImageMagick, subnews_attach=1, upload_enabled=1, subnews_resize is numeric between 30 and 5000, and the attacker is a non-admin in classes permitted by both subnews_class and upload_class. This issue has been fixed in version 2.3.6.
Title e107: Command Injection via shell expansion in ImageMagick resize destination path
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H'}

Subscriptions

E107 E107
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T13:06:02.489Z

Reserved: 2026-05-26T23:26:07.976Z

Link: CVE-2026-48997

cve-icon Vulnrichment

Updated: 2026-06-18T13:05:57.306Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:00:13Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')