PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48997 e107inc CVE debrief

CVE-2026-48997 is a high-severity command injection vulnerability in e107 CMS versions 2.3.5 and earlier. The vulnerability exists in the ImageMagick resize destination path within the resize_image() function. An attacker can inject commands when the destination filename includes user-controlled news title input, which is not properly sanitized. Exploitation requires specific non-default settings: resize_method=ImageMagick, subnews_attach=1, upload_enabled=1, subnews_resize is numeric between 30 and 5000, and the attacker must be a non-admin in classes permitted by both subnews_class and upload_class. The issue was fixed in version 2.3.6.

Vendor
e107inc
Product
e107
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-23
Advisory published
2026-06-17
Advisory updated
2026-06-23

Who should care

Users of e107 CMS versions 2.3.5 and earlier should prioritize upgrading to version 2.3.6. System administrators and security teams responsible for managing e107 installations, especially those with non-default settings that could be exploited, should take immediate action. Developers using e107 as a dependency in their projects should also be aware of this vulnerability.

Technical summary

The vulnerability exists in the resize_image() function of e107 CMS versions 2.3.5 and earlier. The function uses ImageMagick for image resizing but fails to properly sanitize the destination path of the resized image. Specifically, while the source path is escaped with escapeshellarg(), the destination path is inserted directly into a command string within raw double quotes. This allows an attacker to inject shell commands when the destination filename is crafted from user-controlled input, such as the first six characters of a news title. The exploitation is contingent upon specific non-default settings being enabled: - resize_method=ImageMagick - subnews_attach=1 - upload_enabled=1 - subnews_resize is set to a numeric value between 30 and 5000 - The attacker must be a non-admin user with permissions in both subnews_class and upload_class The vulnerability was addressed in e107 version 2.3.6.

Defensive priority

High

Recommended defensive actions

  • Upgrade e107 to version 2.3.6 or later
  • Review and adjust non-default settings for resize_method, subnews_attach, upload_enabled, and subnews_resize
  • Restrict user permissions for subnews_class and upload_class
  • Monitor for suspicious activity related to image uploads and resizes
  • Implement additional input validation and sanitization for news titles and image file names

Evidence notes

The CVE record was published on 2026-06-17T22:16:23.737Z and was last modified on 2026-06-23T15:44:39.343Z. The NVD entry is currently Deferred. Official references include the CVE.org record, NVD detail page, and source item URL from nvd_modified. Additional references point to the e107 GitHub repository and security advisories.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T22:16:23.737Z and has not been modified since then. The NVD entry is currently Deferred.