CVE-2022-50944
Aero CMS 0.0.1 PHP Code Injection via posts.php
Vexday Risk Score
41Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 8.7EPSS 0.3%KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
10 May 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=add_post parameter, and the uploaded files are executed by the server.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
MegaTKC · Aero CMSpublic PoCs found — 1
cve_referencewww.exploit-db.com/exploits/51085unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.