CVE-2026-2954

🗓️ 22 Feb 2026 15:02:17Reported by VulDBType

cve🔗 web.nvd.nist.gov👁 5 Views🌐 WEB

Dromara UJCMS 10.0.2 allows remote injection via import-channel in ImportDataController.

Reporter	Title	Published	Views	Family All 7
ATTACKERKB	CVE-2026-2954	22 Feb 202615:02	–	attackerkb
CNNVD	UJCMS 安全漏洞	22 Feb 202600:00	–	cnnvd
Cvelist	CVE-2026-2954 Dromara UJCMS ImportDataController import-channel importChanel injection	22 Feb 202615:02	–	cvelist
NVD	CVE-2026-2954	22 Feb 202615:16	–	nvd
Positive Technologies	PT-2026-21455	22 Feb 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-2954	23 Feb 202619:35	–	redhatcve
Vulnrichment	CVE-2026-2954 Dromara UJCMS ImportDataController import-channel importChanel injection	22 Feb 202615:02	–	vulnrichment

NVD

Vulners

Node

ujcms ujcmsMatch10.0.2

[
  {
    "vendor": "Dromara",
    "product": "UJCMS",
    "versions": [
      {
        "version": "10.0.2",
        "status": "affected"
      }
    ],
    "cpes": [
      "cpe:2.3:a:ujcms:ujcms:*:*:*:*:*:*:*:*"
    ],
    "modules": [
      "ImportDataController"
    ]
  }
]

Source	Link
yuque	www.yuque.com/la12138/pa2fpb/gsz2l14wlz8c4nsn
vuldb	www.vuldb.com/
vuldb	www.vuldb.com/
vuldb	www.vuldb.com/

Parameter	Position	Path	Description	CWE
driverClassName	request body	api/backend/ext/import-data/import-channel	Injection via manipulation of driverClassName and url arguments in ImportDataController.import-channel leading to remote code injection.	CWE-74, CWE-707
url	request body	api/backend/ext/import-data/import-channel	Injection via manipulation of driverClassName and url arguments in ImportDataController.import-channel leading to remote code injection.	CWE-74, CWE-707

29 Apr 2026 01:00Current

6.3Medium risk

Vulners AI Score6.3

CVSS 3.16.3 - 9.8

CVSS 45.3

CVSS 26.5

CVSS 36.3

EPSS0.0006

SSVC