CVE-2026-2954
MEDIUMDromara UJCMS 10.0.2 - Code Injection
Title source: llmDescription
A vulnerability was found in Dromara UJCMS 10.0.2. Impacted is the function importChanel of the file /api/backend/ext/import-data/import-channel of the component ImportDataController. Performing a manipulation of the argument driverClassName/url results in injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Scores
CVSS v3
6.3
EPSS
0.0004
EPSS Percentile
13.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Classification
CWE
CWE-707
CWE-74
Status
published
Affected Products (1)
ujcms/ujcms
Timeline
Published
Feb 22, 2026
Tracked Since
Feb 22, 2026