CVE-2026-2957
Published: 22 February 2026
Summary
CVE-2026-2957 is a medium-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in Dst-Admin Project Dst-Admin. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Contingency plan updates incorporate proper resource shutdown and release steps, preventing attackers from leveraging incomplete cleanup during recovery scenarios.
Mandates explicit shutdown of the network connection at session conclusion, directly addressing improper resource release.
Requires proper shutdown/release procedures that include overwriting or isolating data to block unintended transfer via reused system objects.
Procedures can mandate orderly shutdown or release of resources when failures occur, preventing improper resource handling after a fault.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote exploitable DoS in public-facing Java web controller (deleteBackup) directly enables T1190 for initial access and T1499.004 for application exploitation causing partial availability/integrity impact.
NVD Description
A weakness has been identified in qinming99 dst-admin up to 1.5.0. This impacts the function deleteBackup of the file src/main/java/com/tugos/dst/admin/controller/BackupController.java of the component File Handler. This manipulation causes denial of service. The attack may be initiated remotely. The exploit has…
more
been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-2957 is a vulnerability identified in qinming99 dst-admin versions up to 1.5.0. It affects the deleteBackup function in the file src/main/java/com/tugos/dst/admin/controller/BackupController.java within the File Handler component, leading to a denial of service condition. The issue is classified under CWE-404 and has a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L).
The vulnerability can be exploited remotely by an attacker with low privileges. Exploitation requires network access and low-privilege authentication but no user interaction, enabling the attacker to cause limited integrity and availability impacts, such as partial denial of service, without affecting confidentiality.
VulDB advisories note that an exploit has been made publicly available and could be used for attacks. The vendor was contacted early regarding this disclosure but did not respond, indicating no official patches or mitigations have been issued.
Details
- CWE(s)