Cyber Resilience

CVE-2026-2953

MediumPublic PoC

Published: 22 February 2026

Published
22 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0076 50.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2953 is a medium-severity Path Traversal (CWE-22) vulnerability in Ujcms Ujcms. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2953 is a path traversal vulnerability (CWE-22) in Dromara UJCMS version 101.2. The flaw affects the deleteDirectory function in the WebFileTemplateController.delete file of the Template Handler component, enabling manipulation that allows traversal outside intended directories.

The vulnerability carries a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L). It can be exploited remotely by an authenticated attacker with low privileges, requiring low complexity and no user interaction. Successful exploitation allows limited impacts on integrity and availability, such as unauthorized deletion of files or directories via path traversal.

Advisories from VulDB indicate the exploit has been publicly disclosed and may be used. The vendor was contacted early regarding the issue but provided no response, with no patches or official mitigations mentioned in available references.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability has been found in Dromara UJCMS 101.2. This issue affects the function deleteDirectory of the file WebFileTemplateController.delete of the component Template Handler. Such manipulation leads to path traversal. The attack may be performed from remote. The exploit has…

more

been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal vulnerability in a public-facing CMS web application enables remote authenticated exploitation for arbitrary file/directory deletion, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2954Same product: Ujcms Ujcms
CVE-2025-2505Shared CWE-22
CVE-2026-5841Shared CWE-22
CVE-2026-33242Shared CWE-22
CVE-2026-33292Shared CWE-22
CVE-2026-35605Shared CWE-22
CVE-2025-53632Shared CWE-22
CVE-2025-8110Shared CWE-22
CVE-2026-8757Shared CWE-22
CVE-2025-7712Shared CWE-22

Affected Assets

ujcms
ujcms
10.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates inputs to the deleteDirectory function, blocking path traversal sequences like '../' that enable access outside intended directories.

prevent

Requires timely identification, reporting, and correction of the path traversal flaw in WebFileTemplateController.delete, preventing exploitation.

prevent

Enforces logical access controls to confine delete operations within authorized template directories, mitigating unauthorized file deletions even if traversal occurs.

References