High severityNVD Advisory· Published Feb 11, 2022· Updated Aug 2, 2024

OS Command Injection in microweber/microweber

CVE-2022-0557

Description

OS command injection in Microweber before 1.2.11 allows authenticated remote code execution via crafted profile image upload.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OS command injection in Microweber before 1.2.11 allows authenticated remote code execution via crafted profile image upload.

Vulnerability

OS command injection vulnerability exists in Microweber versions prior to 1.2.11 [1]. The flaw is present in the file upload functionality, specifically in user profile image upload, where a crafted file with a PHP extension (e.g., .php7) can be uploaded and executed [4]. The vulnerability was fixed in commit 0a7e5f1 [3].

Exploitation

An attacker with authenticated access (admin credentials) can exploit this vulnerability. The attacker navigates to the user section and adds/modifies a user's profile image, uploading a specially crafted image file containing PHP code. After upload, the attacker can access the uploaded shell at a predictable path to execute arbitrary commands [4].

Impact

Successful exploitation allows an attacker to achieve remote code execution on the web server with the privileges of the web application. This can lead to full compromise of the application and underlying server [2].

Mitigation

Upgrade to Microweber version 1.2.11 or later, which includes the fix from commit 0a7e5f1 [3]. If upgrading is not immediately possible, restrict file upload permissions and validate file extensions strictly.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
microweber/microweberPackagist	< 1.2.11	1.2.11

Affected products

ghsa-coords
pkg:composer/microweber/microweber
Range: < 1.2.11
Microweber/Microwebercpe-rescue
Range: unspecified

Patches

0a7e5f1d81de

Update plupload.php

https://github.com/microweber/microweberBozhidar SlaveykovFeb 10, 2022via ghsa

commit

1 file changed · +1 −2

src/MicroweberPackages/App/functions/plupload.php+1 −2 modified

@@ -149,14 +149,13 @@
                             $is_ext = strtolower($is_ext);
 
                             switch ($is_ext) {
-                                case 'php':
+                                case 'php': 
                                 case 'php12':
                                 case 'php11':
                                 case 'php10':
                                 case 'php9':
                                 case 'php8':
                                 case 'php7':
-                                case 'php6':
                                 case 'php5':
                                 case 'php4':
                                 case 'php3':

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-vm37-j55j-8655ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-0557ghsaADVISORY
packetstormsecurity.com/files/166077/Microweber-1.2.11-Shell-Upload.htmlghsax_refsource_MISCWEB
github.com/microweber/microweber/commit/0a7e5f1d81de884861ca677ee1aaac31f188d632ghsax_refsource_MISCWEB
huntr.dev/bounties/660c89af-2de5-41bc-aada-9e4e78142db8ghsax_refsource_CONFIRMWEB
www.exploit-db.com/exploits/50768ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.013
exploit	0.030
kev	0.000
patch	-0.070
ransomware	0.000