CVE-2026-30637

HighPublic PoC

Published: 27 March 2026

Published

27 March 2026

Modified

31 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0018 38.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30637 is a high-severity SSRF (CWE-918) vulnerability in Otcms Otcms. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates SSRF by validating the untrusted URL input in the AnnounContent parameter of /admin/read.php to prevent unauthorized server requests.

AC-4 Information Flow Enforcement partial match

prevent

Enforces flow control policies to restrict the web server from initiating unauthorized HTTP requests to internal or external destinations specified in crafted inputs.

SC-7 Boundary Protection partial match

prevent

Provides boundary protection through network segmentation and monitoring to block SSRF-exploited requests from reaching sensitive internal services.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1552.005 Cloud Instance Metadata API Credential Access

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

attack.mitre.org →

T1046 Network Service Discovery Discovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.

attack.mitre.org →

Why these techniques?

SSRF in unauthenticated public web endpoint directly enables remote exploitation of a public-facing app (T1190); classic SSRF abuse against metadata services enables cloud credential theft (T1552.005); SSRF is routinely used to probe and discover internal network services (T1046).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Server-Side Request Forgery (SSRF) vulnerability exists in the AnnounContent of the /admin/read.php in OTCMS V7.66 and before. The vulnerability allows remote attackers to craft HTTP requests, without authentication, containing a URL pointing to internal services or any remote server

Deeper analysisAI

CVE-2026-30637 is a Server-Side Request Forgery (SSRF) vulnerability affecting the AnnounContent functionality in the /admin/read.php script of OTCMS versions V7.66 and earlier. Published on 2026-03-27, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-918. The flaw enables attackers to manipulate the application into making unauthorized HTTP requests.

Remote attackers can exploit this vulnerability without authentication by crafting requests to /admin/read.php that include URLs targeting internal services or arbitrary remote servers. Successful exploitation grants high confidentiality impact, allowing potential access to sensitive internal resources inaccessible from the public internet, such as metadata services or other backend systems.

Mitigation details are available in the referenced advisory at https://github.com/cryingtor/Code-Audit/blob/master/ssrf.md.