CVE-2022-50807
0.0 (Rejected)0.05%
Phantom Bug: The Curious Case of CVE-2022-50807
Alon Barad
Software EngineerJan 15, 2026·4 min read·11 visits
PoC Available
Executive Summary (TL;DR)
Researcher threw SQLi payloads at a CMS. The CMS crashed and showed a stack trace because Debug Mode was on. Researcher called it XPath Injection. NVD called it Critical. The CNA eventually realized it was just a configuration error and rejected it.
A deep dive into a 'vulnerability' that was assigned, feared, and ultimately rejected. Originally classified as a Critical XPath Injection in Concrete CMS, further analysis revealed it to be a simple Full Path Disclosure triggered only when an administrator leaves Debug Mode enabled.
Technical Appendix
CVSS Score
0.0 (Rejected)/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:NEPSS Probability
0.05%
Top 85% most exploited
Affected Systems
Concrete CMS 9.1.3
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Concrete CMS Concrete CMS | = 9.1.3 | N/A |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-209 (Sensitive Information via Error Message) |
| Attack Vector | Network (URL Parameter) |
| CVSS | 0.0 (Rejected) |
| Status | REJECTED |
| Original Claim | XPath Injection (CWE-643) |
| Actual Impact | Full Path Disclosure (FPD) |
MITRE ATT&CK Mapping
CWE-209
Generation of Error Message Containing Sensitive Information
The product generates an error message that includes sensitive information about its environment, users, or associated data.
Known Exploits & Detection
Vulnerability Timeline
Vulnerability reported by researcher
2022-11-28
Exploit published on Exploit-DB
2023-03-30
CVE published in NVD
2026-01-13
CVE Rejected/Withdrawn by CNA
2026-01-14