Primary

Context

4images Remote Command Execution Vulnerability

Vulnerability

A remote command execution vulnerability has been identified in 4images version 1.9. This issue allows authenticated administrators to inject reverse shell code through the template editing feature. Once the malicious code is saved in a template, it can be executed by accessing a specific categories.php endpoint with a crafted cat_id parameter.

Impact

Exploitation of this vulnerability allows for remote command execution on the server where 4images is hosted.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to the template editing section. Select the 'default_960px' template pack and load the 'categories.html' template. Inject reverse shell code into the template and save the changes. The injected code will be executed when the 'categories.php' endpoint is accessed with the appropriate cat_id parameter.

Added: Jan 13, 2026, 11:28 PM

Updated: Jan 13, 2026, 11:28 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

7.5

exploitability

6.3

remediation

0.0

relevance

2.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

7.5

exploitability

6.3

remediation

0.0

relevance

2.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

4images Remote Command Execution Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

4images

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating