Plateforme
java
Composant
public_exp
Corrigé dans
5.0.1
5.1.1
5.2.1
5.3.1
5.4.1
5.5.1
A server-side request forgery (SSRF) vulnerability has been discovered in mingSoft MCMS versions 5.0 to 5.5.0. This flaw resides within the catchImage function of the net/mingsoft/cms/action/BaseAction.java file, specifically within the Editor Endpoint. Successful exploitation allows attackers to manipulate internal requests, potentially leading to unauthorized access and data exposure.
The SSRF vulnerability in mingSoft MCMS allows an attacker to craft malicious requests through the catchimage parameter. This can be leveraged to access internal resources that are not directly accessible from the outside world, such as internal APIs, databases, or other sensitive services. An attacker could potentially read sensitive data, modify configurations, or even gain a foothold for further attacks. The public availability of an exploit significantly increases the risk of exploitation, as it lowers the barrier to entry for malicious actors. This vulnerability could lead to data breaches, system compromise, and disruption of services.
This vulnerability is considered high risk due to its SSRF nature and the availability of a public exploit. The exploit's public release suggests a higher probability of active exploitation. While no specific campaigns or actor attribution are currently known, the ease of exploitation makes it a likely target for opportunistic attackers. The CVE was published on 2026-03-27.
Organizations using mingSoft MCMS versions 5.0 through 5.5.0 are at risk, particularly those with internal services accessible through the Editor Endpoint. Shared hosting environments utilizing MCMS are also at increased risk due to the potential for cross-tenant exploitation.
• java / server:
grep -r 'net/mingsoft/cms/action/BaseAction.java' /path/to/mcms/source
grep -r 'catchImage' /path/to/mcms/logs• generic web:
curl -I http://your-mcms-server/editor/baseAction.action?catchimage=http://internal-servicedisclosure
Statut de l'Exploit
EPSS
0.05% (percentile 16%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-4953 is to upgrade to a patched version of mingSoft MCMS. Unfortunately, a fixed version is not specified in the provided data. As a temporary workaround, implement strict input validation on the catchimage parameter to prevent malicious URLs. Consider using a Web Application Firewall (WAF) with SSRF protection rules to block suspicious requests. Monitor access logs for unusual outbound requests originating from the Editor Endpoint.
Mettez à jour mingSoft MCMS à une version postérieure à la 5.5.0. Cela corrigera la vulnérabilité de Server-Side Request Forgery (SSRF) dans le composant Editor Endpoint.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-4953 is a server-side request forgery vulnerability in mingSoft MCMS versions 5.0 to 5.5.0, allowing attackers to manipulate internal requests.
You are affected if you are using mingSoft MCMS versions 5.0 through 5.5.0 and have not upgraded to a patched version.
Upgrade to a patched version of mingSoft MCMS. Until a patch is available, implement input validation and WAF rules to mitigate the risk.
Due to the public availability of an exploit, CVE-2026-4953 is likely being actively exploited or targeted by attackers.
Refer to the mingSoft MCMS official website or security advisories for the latest information and updates regarding CVE-2026-4953.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier pom.xml et nous te dirons instantanément si tu es affecté.