CVE-2026-4953

HIGH

mingSoft MCMS Editor Endpoint BaseAction.java catchImage server-side request forgery

Title source: cna

Description

A weakness has been identified in mingSoft MCMS up to 5.5.0. This issue affects the function catchImage of the file net/mingsoft/cms/action/BaseAction.java of the component Editor Endpoint. Executing a manipulation of the argument catchimage can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.

References (4)

[Vdb Entry, Technical Description] https://vuldb.com/?id.353831

[Signature, Permissions Required] https://vuldb.com/?ctiid.353831

[Third Party Advisory] https://vuldb.com/?submit.777516

[Exploit] https://github.com/wing3e/public_exp/issues/3

Scores

CVSS v3 7.3

EPSS 0.0005

EPSS Percentile 16.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (6)

mingSoft/MCMS 5.0

mingSoft/MCMS 5.1

mingSoft/MCMS 5.2

mingSoft/MCMS 5.3

mingSoft/MCMS 5.4

mingSoft/MCMS 5.5.0

Published Mar 27, 2026

Tracked Since Mar 29, 2026