Mingsoft Mcms vulnerabilities
49 known vulnerabilities affecting mingsoft/mcms.
Total CVEs
49
CISA KEV
0
Public exploits
6
Exploited in wild
1
Severity breakdown
CRITICAL28HIGH15MEDIUM6
Vulnerabilities
Page 1 of 3
CVE-2021-44868P2CRITICALCVSS 9.8Exploitedv5.12022-02-17
CVE-2021-44868 [CRITICAL] CWE-89 CVE-2021-44868: A problem was found in ming-soft MCMS v5.1. There is a sql injection vulnerability in /ms/cms/conten
A problem was found in ming-soft MCMS v5.1. There is a sql injection vulnerability in /ms/cms/content/list.do
nvd
CVE-2022-23898P2CRITICALCVSS 9.8PoCv5.2.52022-03-03
CVE-2022-23898 [CRITICAL] CWE-89 CVE-2022-23898: MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via the categoryId parameter in
MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via the categoryId parameter in the file IContentDao.xml.
nvd
CVE-2022-26585P2CRITICALCVSS 9.8PoCv5.2.72022-04-05
CVE-2022-26585 [CRITICAL] CWE-89 CVE-2022-26585: Mingsoft MCMS v5.2.7 was discovered to contain a SQL injection vulnerability via /cms/content/list.
Mingsoft MCMS v5.2.7 was discovered to contain a SQL injection vulnerability via /cms/content/list.
nvd
CVE-2022-25125P2CRITICALCVSS 9.8PoCv5.2.42022-03-03
CVE-2022-25125 [CRITICAL] CWE-89 CVE-2022-25125: MCMS v5.2.4 was discovered to contain a SQL injection vulnerability via search.do in the file /mdiy/
MCMS v5.2.4 was discovered to contain a SQL injection vulnerability via search.do in the file /mdiy/dict/listExcludeApp.
nvd
CVE-2022-4375P2CRITICALCVSS 9.8PoCfixed in 5.2.10v5.2.0+9 more2022-12-09
CVE-2022-4375 [CRITICAL] CWE-707 CVE-2022-4375: A vulnerability was found in Mingsoft MCMS up to 5.2.9. It has been classified as critical. Affected
A vulnerability was found in Mingsoft MCMS up to 5.2.9. It has been classified as critical. Affected is an unknown function of the file /cms/category/list. The manipulation of the argument sqlWhere leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version
nvd
CVE-2023-50578P2CRITICALCVSS 9.8PoCv5.2.92023-12-30
CVE-2023-50578 [CRITICAL] CWE-89 CVE-2023-50578: Mingsoft MCMS v5.2.9 was discovered to contain a SQL injection vulnerability via the categoryType pa
Mingsoft MCMS v5.2.9 was discovered to contain a SQL injection vulnerability via the categoryType parameter at /content/list.do.
nvd
CVE-2024-22567P2HIGHCVSS 8.8v5.3.52024-02-05
CVE-2024-22567 [HIGH] CWE-434 CVE-2024-22567: File Upload vulnerability in MCMS 5.3.5 allows attackers to upload arbitrary files via crafted POST
File Upload vulnerability in MCMS 5.3.5 allows attackers to upload arbitrary files via crafted POST request to /ms/file/upload.do.
nvd
CVE-2022-22930P2CRITICALCVSS 9.8v5.2.42022-01-21
CVE-2022-22930 [CRITICAL] CVE-2022-22930: A remote code execution (RCE) vulnerability in the Template Management function of MCMS v5.2.4 allow
A remote code execution (RCE) vulnerability in the Template Management function of MCMS v5.2.4 allows attackers to execute arbitrary code via a crafted payload.
nvd
CVE-2021-46386P2CRITICALCVSS 9.8≤ 5.2.52022-01-26
CVE-2021-46386 [CRITICAL] CWE-434 CVE-2021-46386: File upload vulnerability in mingSoft MCMS through 5.2.5, allows remote attackers to execute arbitra
File upload vulnerability in mingSoft MCMS through 5.2.5, allows remote attackers to execute arbitrary code via a crafted jspx webshell to net.mingsoft.basic.action.web.FileAction#upload.
nvd
CVE-2021-46384P2CRITICALCVSS 9.8≤ 5.2.52022-03-04
CVE-2021-46384 [CRITICAL] CWE-306 CVE-2021-46384: https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: RCE. The impact is: execute arbitrary c
https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: RCE. The impact is: execute arbitrary code (remote). The attack vector is: ${"freemarker.template.utility.Execute"?new()("calc")}. ¶¶ MCMS has a pre-auth RCE vulnerability through which allows unauthenticated attacker with network access via http to compromise MCMS. Successful attacks of
nvd
CVE-2021-46036P2CRITICALCVSS 9.8v5.2.42022-02-18
CVE-2021-46036 [CRITICAL] CWE-434 CVE-2021-46036: An arbitrary file upload vulnerability in the component /ms/file/uploadTemplate.do of MCMS v5.2.4 al
An arbitrary file upload vulnerability in the component /ms/file/uploadTemplate.do of MCMS v5.2.4 allows attackers to execute arbitrary code.
nvd
CVE-2023-3990P3MEDIUMCVSS 6.1PoC≤ 5.3.1v5.3.0+1 more2023-07-28
CVE-2023-3990 [MEDIUM] CWE-79 CVE-2023-3990: A vulnerability classified as problematic has been found in Mingsoft MCMS up to 5.3.1. This affects
A vulnerability classified as problematic has been found in Mingsoft MCMS up to 5.3.1. This affects an unknown part of the file search.do of the component HTTP POST Request Handler. The manipulation of the argument style leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be
nvd
CVE-2022-22928P3CRITICALCVSS 9.8v5.2.42022-01-21
CVE-2022-22928 [CRITICAL] CWE-798 CVE-2022-22928: MCMS v5.2.4 was discovered to have a hardcoded shiro-key, allowing attackers to exploit the key and
MCMS v5.2.4 was discovered to have a hardcoded shiro-key, allowing attackers to exploit the key and execute arbitrary code.
nvd
CVE-2025-29287P3CRITICALCVSS 9.8v5.4.32025-04-21
CVE-2025-29287 [CRITICAL] CWE-434 CVE-2025-29287: An arbitrary file upload vulnerability in the ueditor component of MCMS v5.4.3 allows attackers to e
An arbitrary file upload vulnerability in the ueditor component of MCMS v5.4.3 allows attackers to execute arbitrary code via uploading a crafted file.
nvd
CVE-2025-56316P3CRITICALCVSS 9.8v5.5.0v6.0.12025-10-17
CVE-2025-56316 [CRITICAL] CWE-89 CVE-2025-56316: A SQL injection vulnerability in the content_title parameter of the /cms/content/list endpoint in MC
A SQL injection vulnerability in the content_title parameter of the /cms/content/list endpoint in MCMS 5.5.0 allows remote attackers to execute arbitrary SQL queries via unsanitized input in the FreeMarker template rendering.
nvd
CVE-2022-22929P3CRITICALCVSS 9.8v5.2.42022-01-21
CVE-2022-22929 [CRITICAL] CWE-434 CVE-2022-22929: MCMS v5.2.4 was discovered to have an arbitrary file upload vulnerability in the New Template module
MCMS v5.2.4 was discovered to have an arbitrary file upload vulnerability in the New Template module, which allows attackers to execute arbitrary code via a crafted ZIP file.
nvd
CVE-2022-23315P3CRITICALCVSS 9.8v5.2.42022-01-21
CVE-2022-23315 [CRITICAL] CWE-434 CVE-2022-23315: MCMS v5.2.4 was discovered to contain an arbitrary file upload vulnerability via the component /ms/t
MCMS v5.2.4 was discovered to contain an arbitrary file upload vulnerability via the component /ms/template/writeFileContent.do.
nvd
CVE-2022-27466P3CRITICALCVSS 9.8v5.2.272022-05-02
CVE-2022-27466 [CRITICAL] CWE-89 CVE-2022-27466: MCMS v5.2.27 was discovered to contain a SQL injection vulnerability in the orderBy parameter at /di
MCMS v5.2.27 was discovered to contain a SQL injection vulnerability in the orderBy parameter at /dict/list.do.
nvd
CVE-2018-18830P3CRITICALCVSS 9.8v4.6.52018-10-30
CVE-2018-18830 [CRITICAL] CWE-434 CVE-2018-18830: An issue was discovered in com\mingsoft\basic\action\web\FileAction.java in MCMS 4.6.5. Since the up
An issue was discovered in com\mingsoft\basic\action\web\FileAction.java in MCMS 4.6.5. Since the upload interface does not verify the user login status, you can use this interface to upload files without setting a cookie. First, start an upload of JSP code with a .png filename, and then intercept the data packet. In the name parameter, change the
nvd
CVE-2022-30506P3CRITICALCVSS 9.8v5.2.72022-06-02
CVE-2022-30506 [CRITICAL] CWE-434 CVE-2022-30506: An arbitrary file upload vulnerability was discovered in MCMS 5.2.7, allowing an attacker to execute
An arbitrary file upload vulnerability was discovered in MCMS 5.2.7, allowing an attacker to execute arbitrary code through a crafted ZIP file.
nvd
1 / 3Next →