CVE-2026-2953
Published: 22 February 2026
Summary
CVE-2026-2953 is a medium-severity Path Traversal (CWE-22) vulnerability in Ujcms Ujcms. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-2953 is a path traversal vulnerability (CWE-22) in Dromara UJCMS version 101.2. The flaw affects the deleteDirectory function in the WebFileTemplateController.delete file of the Template Handler component, enabling manipulation that allows traversal outside intended directories.
The vulnerability carries a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L). It can be exploited remotely by an authenticated attacker with low privileges, requiring low complexity and no user interaction. Successful exploitation allows limited impacts on integrity and availability, such as unauthorized deletion of files or directories via path traversal.
Advisories from VulDB indicate the exploit has been publicly disclosed and may be used. The vendor was contacted early regarding the issue but provided no response, with no patches or official mitigations mentioned in available references.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7683
Vulnerability details
A vulnerability has been found in Dromara UJCMS 101.2. This issue affects the function deleteDirectory of the file WebFileTemplateController.delete of the component Template Handler. Such manipulation leads to path traversal. The attack may be performed from remote. The exploit has…
more
been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vulnerability in a public-facing CMS web application enables remote authenticated exploitation for arbitrary file/directory deletion, directly mapping to T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates inputs to the deleteDirectory function, blocking path traversal sequences like '../' that enable access outside intended directories.
Requires timely identification, reporting, and correction of the path traversal flaw in WebFileTemplateController.delete, preventing exploitation.
Enforces logical access controls to confine delete operations within authorized template directories, mitigating unauthorized file deletions even if traversal occurs.