Critical File Upload Vulnerability CVE-2016-20052 in Snews CMS — CVSS 9.8
Summary
CVE-2016-20052 is a critical unrestricted file upload vulnerability in Snews CMS 1.7 that allows unauthenticated attackers to upload arbitrary files including PHP executables. Successful exploitation enables remote code execution on the target server. The vulnerability was published to NVD on April 4-5, 2026.
Threat Analysis
CVE-2016-20052 is a critical unrestricted file upload vulnerability (CVSS 9.8) in Snews CMS version 1.7. The flaw allows unauthenticated remote attackers to upload arbitrary files, including PHP executables, to the snews_files directory. Once uploaded, attackers can execute these files to achieve remote code execution (RCE) on the web server.
Affected Products: Snews CMS version 1.7.
Exploitation: A public exploit is available on Exploit-DB (EDB-40706). The vulnerability requires no authentication and has low attack complexity, making it trivially exploitable.
Recommended Mitigations: Upgrade Snews CMS to a patched version if available, or discontinue use of this software. Implement server-side file type validation and restrict executable file uploads. Apply web application firewall (WAF) rules to block malicious upload attempts. Conduct a security audit of any existing Snews CMS installations for signs of compromise.