E107

This hub aggregates every CVE we track for E107, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting E107.

• CVE-2026-48997e107: Command Injection via shell expansion in ImageMagick resize destination path7.1Jun 17, 2026
• CVE-2026-46620e107: CSRF in comment.php moderation endpoints via token-optional validation in session_handler::check()6.5May 26, 2026
• CVE-2026-43935e107: Host Header Injection in e107 password reset enables phishing8.1May 26, 2026
• CVE-2026-43934e107: Broken Access Control in e107 comment edit allows cross-user comment modification6.5May 26, 2026
• CVE-2026-43936e107: Server-Side Request Forgery (SSRF) in the remote file fetcher4.3May 26, 2026
• CVE-2022-50939e107 CMS v3.2.1 - Upload Restriction Bypass with Path Traversal File Override7.2Jan 13, 2026
• CVE-2022-50916e107 CMS v3.2.1 - Upload restriction bypass (Authenticated [Admin])+ Server file override7.2Jan 13, 2026
• CVE-2022-50907e107 CMS v3.2.1 - Admin Upload Restriction Bypass + RCE7.2Jan 13, 2026
• CVE-2022-50906e107 CMS v3.2.1 - Admin Upload Restriction Bypass + Stored XSS4.8Jan 13, 2026
• CVE-2022-50905e107 CMS v3.2.1 - Reflected XSS via Comment Flow9.8Jan 13, 2026
• CVE-2025-11941e107 CMS Avatar image.php path traversal5.4Oct 19, 2025
• CVE-2025-61505e107 CMS thru 2.3.3 are vulnerable to insecure deserialization in the `install.php` script. The script processes user-controlled input in the `previous_steps` POST parameter using `unserialize(base...6.5Oct 10, 2025
• CVE-2023-36121Cross Site Scripting vulnerability in e107 v.2.3.2 allows a remote attacker to execute arbitrary code via the description function in the SEO project.5.4Aug 1, 2023
• CVE-2021-27885usersettings.php in e107 through 2.3.0 lacks a certain e_TOKEN protection mechanism.8.8Mar 2, 2021
• CVE-2018-11734In e107 v2.1.7, output without filtering results in XSS.6.1Jul 10, 2019