{"id":"CVE-2022-26521","details":"Abantecart through 1.3.2 allows remote authenticated administrators to execute arbitrary code by uploading an executable file, because the Catalog\u003eMedia Manager\u003eImages settings can be changed by an administrator (e.g., by configuring .php to be a valid image file type).","aliases":["BIT-abantecart-2022-26521"],"modified":"2026-04-12T05:04:44.792960Z","published":"2022-03-10T17:47:46.260Z","references":[{"type":"WEB","url":"http://packetstormsecurity.com/files/171487/Abantecart-1.3.2-Remote-Code-Execution.html"},{"type":"EVIDENCE","url":"https://github.com/sartlabs/0days/blob/main/Abantecart/Exploit.txt"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/abantecart/abantecart-src","events":[{"introduced":"0"},{"last_affected":"3c7705381efb8be7e209e528464f20d732979291"}],"database_specific":{"cpe":"cpe:2.3:a:abantecart:abantecart:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"last_affected":"1.3.2"}],"source":"CPE_FIELD"}}],"versions":["1.2.10","1.2.11","1.2.12","1.2.13","1.2.14","1.2.15","1.2.16","1.2.8","1.3.0","1.3.1","1.3.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-26521.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}