← back
CVE-2016-20052

Snews CMS 1.7 Unrestricted File Upload via snews_files

CVSS 9.3 CRITICALEPSS 1.0%CWE-434
Vexday Risk Score
48Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 9.3EPSS 1.0%KEV nãoPoC públicaNuclei Metasploit Patch
Lifecycle
04 Apr 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
Snews CMS 1.7 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files including PHP executables to the snews_files directory. Attackers can upload malicious PHP files through the multipart form-data upload endpoint and execute them by accessing the uploaded file path to achieve remote code execution.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →