Primary

Context

ImpressCMS Unrestricted File Upload Vulnerability in Version 1.4.4

Vulnerability

A file upload vulnerability has been identified in ImpressCMS version 1.4.4, stemming from inadequate extension sanitization. This flaw allows attackers to upload potentially malicious files by exploiting weak upload restrictions. The vulnerability arises from a blacklist method that fails to effectively filter harmful file types, enabling the execution of arbitrary PHP code on the server.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, with the potential to execute uploaded PHP files on the server, leading to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by uploading a file with a sanitized extension such as .php2, .php6, .php7, .phps, .pht, .pgif, .shtml, .htaccess, .phar, or .inc. The uploaded file can then be accessed through the web server, where any PHP code included in the file will be executed.

Added: Jan 14, 2026, 12:25 AM

Updated: Jan 14, 2026, 12:25 AM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

10.0

exploitability

9.3

remediation

0.0

relevance

2.0

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

10.0

exploitability

9.3

remediation

0.0

relevance

2.0

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ImpressCMS Unrestricted File Upload Vulnerability in Version 1.4.4

Vulnerability

Impact

Reproduction

Affected Products

ImpressCMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating