Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Dromara UJCMS 10.0.2: Remote Code Injection via Import Channel
CVE-2026-2954
Summary
A security issue was found in Dromara UJCMS 10.0.2 that allows an attacker to inject malicious code. This could happen through a remote attack. We recommend that you update to the latest version to fix this issue and protect your system.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| ujcms | ujcms | 10.0.2 | – |
Original title
A vulnerability was found in Dromara UJCMS 10.0.2. Impacted is the function importChanel of the file /api/backend/ext/import-data/import-channel of the component ImportDataController. Performing a ...
Original description
A vulnerability was found in Dromara UJCMS 10.0.2. Impacted is the function importChanel of the file /api/backend/ext/import-data/import-channel of the component ImportDataController. Performing a manipulation of the argument driverClassName/url results in injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
nvd CVSS2.0
6.5
nvd CVSS3.1
9.8
nvd CVSS4.0
5.3
Vulnerability type
CWE-74
Injection
CWE-707
- https://vuldb.com/?ctiid.347320 Permissions Required VDB Entry
- https://vuldb.com/?id.347320 Third Party Advisory VDB Entry
- https://vuldb.com/?submit.755222 Third Party Advisory VDB Entry
- https://www.yuque.com/la12138/pa2fpb/gsz2l14wlz8c4nsn?singleDoc Broken Link
Published: 22 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026