PatchSiren cyber security CVE debrief
CVE-2026-48997 e107inc CVE debrief
CVE-2026-48997 is a high-severity command injection vulnerability in e107 CMS versions 2.3.5 and earlier. The vulnerability exists in the ImageMagick resize destination path within the resize_image() function. An attacker can inject commands when the destination filename includes user-controlled news title input, which is not properly sanitized. Exploitation requires specific non-default settings: resize_method=ImageMagick, subnews_attach=1, upload_enabled=1, subnews_resize is numeric between 30 and 5000, and the attacker must be a non-admin in classes permitted by both subnews_class and upload_class. The issue was fixed in version 2.3.6.
- Vendor
- e107inc
- Product
- e107
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-17
- Original CVE updated
- 2026-06-23
- Advisory published
- 2026-06-17
- Advisory updated
- 2026-06-23
Who should care
Users of e107 CMS versions 2.3.5 and earlier should prioritize upgrading to version 2.3.6. System administrators and security teams responsible for managing e107 installations, especially those with non-default settings that could be exploited, should take immediate action. Developers using e107 as a dependency in their projects should also be aware of this vulnerability.
Technical summary
The vulnerability exists in the resize_image() function of e107 CMS versions 2.3.5 and earlier. The function uses ImageMagick for image resizing but fails to properly sanitize the destination path of the resized image. Specifically, while the source path is escaped with escapeshellarg(), the destination path is inserted directly into a command string within raw double quotes. This allows an attacker to inject shell commands when the destination filename is crafted from user-controlled input, such as the first six characters of a news title. The exploitation is contingent upon specific non-default settings being enabled: - resize_method=ImageMagick - subnews_attach=1 - upload_enabled=1 - subnews_resize is set to a numeric value between 30 and 5000 - The attacker must be a non-admin user with permissions in both subnews_class and upload_class The vulnerability was addressed in e107 version 2.3.6.
Defensive priority
High
Recommended defensive actions
- Upgrade e107 to version 2.3.6 or later
- Review and adjust non-default settings for resize_method, subnews_attach, upload_enabled, and subnews_resize
- Restrict user permissions for subnews_class and upload_class
- Monitor for suspicious activity related to image uploads and resizes
- Implement additional input validation and sanitization for news titles and image file names
Evidence notes
The CVE record was published on 2026-06-17T22:16:23.737Z and was last modified on 2026-06-23T15:44:39.343Z. The NVD entry is currently Deferred. Official references include the CVE.org record, NVD detail page, and source item URL from nvd_modified. Additional references point to the e107 GitHub repository and security advisories.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T22:16:23.737Z and has not been modified since then. The NVD entry is currently Deferred.