CVE-2026-2957
Published: 22 February 2026
Summary
CVE-2026-2957 is a medium-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in Dst-Admin Project Dst-Admin. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-5 (Denial-of-service Protection).
Deeper analysis
CVE-2026-2957 is a vulnerability identified in qinming99 dst-admin versions up to 1.5.0. It affects the deleteBackup function in the file src/main/java/com/tugos/dst/admin/controller/BackupController.java within the File Handler component, leading to a denial of service condition. The issue is classified under CWE-404 and has a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L).
The vulnerability can be exploited remotely by an attacker with low privileges. Exploitation requires network access and low-privilege authentication but no user interaction, enabling the attacker to cause limited integrity and availability impacts, such as partial denial of service, without affecting confidentiality.
VulDB advisories note that an exploit has been made publicly available and could be used for attacks. The vendor was contacted early regarding this disclosure but did not respond, indicating no official patches or mitigations have been issued.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7595
Vulnerability details
A weakness has been identified in qinming99 dst-admin up to 1.5.0. This impacts the function deleteBackup of the file src/main/java/com/tugos/dst/admin/controller/BackupController.java of the component File Handler. This manipulation causes denial of service. The attack may be initiated remotely. The exploit has…
more
been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote exploitable DoS in public-facing Java web controller (deleteBackup) directly enables T1190 for initial access and T1499.004 for application exploitation causing partial availability/integrity impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces access-control policy on the deleteBackup endpoint so that only authorized callers can invoke file-handler operations, directly blocking the low-privilege remote abuse that triggers the DoS.
Requires the system to protect against or limit the effects of denial-of-service attacks, directly mitigating the availability impact produced by manipulation of the deleteBackup function.
Validates all inputs to the BackupController before any file or resource operation occurs, preventing malformed requests that lead to improper resource handling and subsequent DoS.