Phantom Bug: The Curious Case of CVE-2022-50807

CVE-2022-50807 is a ghost story in the vulnerability database. Originally flagged as a critical XPath Injection with a terrifying 9.8 CVSS score by automated scanners, it sent admins scrambling. But if you look closer, the ghost fades away. On January 14, 2026, the CVE was officially REJECTED and withdrawn by the CNA.

Why? Because sometimes a bug isn't a bug—it's a feature configured poorly. This report dives into what was claimed (XPath Injection), what was actually happening (Uncaught Exception leading to Path Disclosure), and why "Debug Mode" in production is the real vulnerability here.

It is a classic case of a researcher throwing payloads at a wall and mistaking the resulting loud noise for a successful breach. The community panic was real, but the threat was largely imaginary unless you were already engaging in insecure administrative practices.

The researcher claimed this was CWE-643: Improper Neutralization of Data within XPath Expressions. The proof? A payload containing ' or 4591=4591-- triggered an error. To the untrained eye, if you inject SQL/XPath syntax and the server barfs, you've won. You assume the query engine choked on your logic.

However, the stack trace tells the real story. The error didn't happen in an XML parser or an XPath query engine. It happened in Stash\Driver\FileSystem\NativeEncoder.php. The application was trying to translate the 404 page caused by the garbage URL. To do this, it hashed the input to check the filesystem cache.

The input caused the file inclusion logic to fail, raising a PHP Warning which was converted to an Exception. The "Flaw" wasn't code execution or query manipulation; it was the application vomiting its internal state because it was told to do so via display_errors. It is akin to shouting at a librarian and claiming you hacked the library when they get flustered and drop a book.

Let's look at the "smoking gun"—the stack trace provided in the exploit report. The failure occurs here:

Whoops\Exception\ErrorException: include(): Failed opening 
'C:/xampp/.../cache/expensive/0fea.../fee8...php'

Concrete CMS (and its underlying Laminas framework) uses a caching system called Stash. When the URL path /ccm50539478' or 4591=4591-- is processed, the router doesn't find a page, so it invokes the "Page Not Found" controller. This controller attempts to translate messages using t().

The translation adapter checks the cache. The cache driver takes our malicious string, mangles it into a file path hash, and tries to include() it. Because the generated path is garbage or the file doesn't exist in a way the driver expects, PHP throws a wobbly. Because the site is running the Whoops error handler (Development Mode), it helpfully prints: C:/xampp/htdocs/pwnedhost/....

This confirms Full Path Disclosure (FPD), but completely disproves the exotic XPath Injection theory. There is no XML being parsed here; just a file system driver crying for help.

The exploit provided by the researcher is a masterclass in "copy-paste payloads until something breaks."

The Attack Vector:

GET /concrete-cms-9.1.3/index.php/ccm50539478' or 4591=4591-- /assets/localization/moment/js HTTP/1.1
Host: target.com

The Logic:

1. The attacker sends a request with characters that look like a query bypass (' or 1=1).
2. The server tries to process this route.
3. The server fails to find the route, tries to localize the 404 error.
4. The caching mechanism crashes on the special characters.
5. If and only if the server is in Debug Mode, it returns the stack trace.

If you run this against a production server (Debug Off), you get a standard 404 or 500 error page. No data leaked. No shell. No XPath injection. Just a broken link.

Since this CVE was rejected, there is no official "patch" code because the software presumably works as intended (it caches things, and it errors when things break). The vulnerability is purely configuration-based.

The Remediation: Open your php.ini and set display_errors = Off. In the Concrete CMS dashboard, ensure the "Debug Level" is set to "Hide errors".

The Lesson: If your application screams its internal file structure to the world every time someone makes a typo in the URL, you don't need a code patch—you need a better sysadmin. Security through obscurity is debatable, but "Security by printing your directory structure to the browser" is objectively terrible.