CVE-2026-2953

MediumPublic PoC

Published: 22 February 2026

Published

22 February 2026

Modified

25 February 2026

KEV Added

—

Patch

—

CVSS Score 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

EPSS Score 0.0021 43.5th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability has been found in Dromara UJCMS 101.2. This issue affects the function deleteDirectory of the file WebFileTemplateController.delete of the component Template Handler. Such manipulation leads to path traversal. The attack may be performed from remote. The exploit has…

been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates inputs to the deleteDirectory function, blocking path traversal sequences like '../' that enable access outside intended directories.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of the path traversal flaw in WebFileTemplateController.delete, preventing exploitation.

AC-3 Access Enforcement partial match

prevent

Enforces logical access controls to confine delete operations within authorized template directories, mitigating unauthorized file deletions even if traversal occurs.

Security SummaryAI

CVE-2026-2953 is a path traversal vulnerability (CWE-22) in Dromara UJCMS version 101.2. The flaw affects the deleteDirectory function in the WebFileTemplateController.delete file of the Template Handler component, enabling manipulation that allows traversal outside intended directories.

The vulnerability carries a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L). It can be exploited remotely by an authenticated attacker with low privileges, requiring low complexity and no user interaction. Successful exploitation allows limited impacts on integrity and availability, such as unauthorized deletion of files or directories via path traversal.

Advisories from VulDB indicate the exploit has been publicly disclosed and may be used. The vendor was contacted early regarding the issue but provided no response, with no patches or official mitigations mentioned in available references.

Details

CWE(s): CWE-22

Affected Products

ujcms

10.1.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Path traversal vulnerability in a public-facing CMS web application enables remote authenticated exploitation for arbitrary file/directory deletion, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://vuldb.com/?ctiid.347319
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.347319
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.755215
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.yuque.com/la12138/pa2fpb/lxngf3d07uyd0nwp?singleDoc
Exploit, Third Party Advisory · cna@vuldb.com