HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-48997Published Modified CNA GitHub_M

CVE-2026-48997: e107: Command Injection via shell expansion in ImageMagick resize destination path

e107 is a content management system (CMS). Versions 2.3.5 and earlier contain a command injection vulnerability in the ImageMagick resize destination path. In resize_image(), the source path is escaped with escapeshellarg(), but the destination path is inserted inside raw double quotes in the convert command; in the submit-news upload flow, that destination filename includes the first six characters of user-controlled news title input. Because the title filter removes literal spaces but not tab characters, and shell expansions such as $(...) and backticks can survive into the quoted destination argument, /bin/sh -c may evaluate attacker-controlled input. Exploitation is possible only when all of the following non-default settings are enabled: resize_method=ImageMagick, subnews_attach=1, upload_enabled=1, subnews_resize is numeric between 30 and 5000, and the attacker is a non-admin in classes permitted by both subnews_class and upload_class. This issue has been fixed in version 2.3.6.

Metrics

CVSS v3.1
7.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A command injection vulnerability in e107, a PHP-based content management system, allows an authenticated low-privilege user to execute arbitrary shell commands on the server through a crafted news title. The attack is reachable over the network but requires a low-privilege account and a specific combination of non-default site configuration settings to be active simultaneously. Successful exploitation gives an attacker partial read access to the server, full write capability, and the ability to crash or disrupt the affected service. A patched-image rebuild at version 2.3.6 is available on HarborGuard for environments running an affected version of e107.

HarborGuard Coverage

Detection

Detection of CVE-2026-48997 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle e107 versions 2.3.5 and earlier.

Available
Triage

HarborGuard scores this CVE at 7.1 HIGH using the published CVSS v3.1 vector, and triage findings are weighted against each environment's compliance policy before being routed to the appropriate team inbox within the customer org.

Available
Patch

A patched-image rebuild pinned to e107 version 2.3.6 becomes available on HarborGuard the moment the fix version is confirmed in the upstream advisory feed. For customers who opt into auto-remediation, HarborGuard runs a rebuild, executes a regression test pass, and opens a pull request against any affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the e107 web application over the network; no local or physical access is needed.

  • AuthenticationRequired

    A low-privilege account that has been granted access via subnews_class and upload_class is required; anonymous access is not sufficient.

  • Victim interactionNot required

    No victim action such as clicking a link or opening a file is needed; the attacker submits a crafted news title directly.

  • Attack complexityDetail

    Exploitation depends on a specific combination of five non-default configuration settings all being active at the same time, making reliable exploitation environmentally conditional rather than condition-free.

Blast Radius

  • An attacker can execute arbitrary shell commands under the web server process, enabling reads of files and secrets accessible to that process such as database credentials and session tokens.
  • An attacker can write or overwrite files on the server filesystem with the permissions of the web server user, allowing webshell placement or content tampering.
  • An attacker can terminate or destabilize the affected service, causing a denial of service for site visitors.

How HarborGuard Handles This

Available on HarborGuard: detection of this CVE is matched against all customer images within minutes of advisory publication, covering both official e107 images and custom images that bundle the CMS. For customers who opt into auto-remediation, HarborGuard can rebuild the affected image at e107 2.3.6, run a regression test suite against the rebuilt image, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Because exploitation requires five non-default configuration flags to be active simultaneously, customers who cannot immediately rebuild should audit their e107 settings and disable resize_method=ImageMagick, subnews_attach, or upload_enabled as compensating controls until the patched image is deployed. HarborGuard compliance policy weighting can be used to escalate triage priority for images where those settings are confirmed active.

See how HarborGuard automates this
Affected packages
  • e107inc / e107
    < 2.3.6
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H
References