Mingsoft Mcms vulnerabilities
49 known vulnerabilities affecting mingsoft/mcms.
Total CVEs
49
CISA KEV
0
Public exploits
6
Exploited in wild
1
Severity breakdown
CRITICAL28HIGH15MEDIUM6
Vulnerabilities
Page 2 of 3
CVE-2022-31943P3CRITICALCVSS 9.8v5.2.82022-07-01
CVE-2022-31943 [CRITICAL] CWE-434 CVE-2022-31943: MCMS v5.2.8 was discovered to contain an arbitrary file upload vulnerability.
MCMS v5.2.8 was discovered to contain an arbitrary file upload vulnerability.
nvd
CVE-2022-30047P3CRITICALCVSS 9.8v5.2.72022-05-11
CVE-2022-30047 [CRITICAL] CWE-89 CVE-2022-30047: Mingsoft MCMS v5.2.7 was discovered to contain a SQL injection vulnerability in /mdiy/dict/listExclu
Mingsoft MCMS v5.2.7 was discovered to contain a SQL injection vulnerability in /mdiy/dict/listExcludeApp URI via orderBy parameter.
nvd
CVE-2022-30048P3CRITICALCVSS 9.8v5.2.72022-05-11
CVE-2022-30048 [CRITICAL] CWE-89 CVE-2022-30048: Mingsoft MCMS 5.2.7 was discovered to contain a SQL injection vulnerability in /mdiy/dict/list URI v
Mingsoft MCMS 5.2.7 was discovered to contain a SQL injection vulnerability in /mdiy/dict/list URI via orderBy parameter.
nvd
CVE-2022-23314P3CRITICALCVSS 9.8v5.2.42022-01-21
CVE-2022-23314 [CRITICAL] CWE-89 CVE-2022-23314: MCMS v5.2.4 was discovered to contain a SQL injection vulnerability via /ms/mdiy/model/importJson.do
MCMS v5.2.4 was discovered to contain a SQL injection vulnerability via /ms/mdiy/model/importJson.do.
nvd
CVE-2020-23262P3CRITICALCVSS 9.8v5.0.02021-01-26
CVE-2020-23262 [CRITICAL] CWE-89 CVE-2020-23262: An issue was discovered in ming-soft MCMS v5.0, where a malicious user can exploit SQL injection wit
An issue was discovered in ming-soft MCMS v5.0, where a malicious user can exploit SQL injection without logging in through /mcms/view.do.
nvd
CVE-2021-46063P3CRITICALCVSS 9.1v5.2.52022-02-18
CVE-2021-46063 [CRITICAL] CWE-94 CVE-2021-46063: MCMS v5.2.5 was discovered to contain a Server Side Template Injection (SSTI) vulnerability via the
MCMS v5.2.5 was discovered to contain a Server Side Template Injection (SSTI) vulnerability via the Template Management module.
nvd
CVE-2026-2666P3HIGHCVSS 7.2v6.1.12026-02-18
CVE-2026-2666 [HIGH] CWE-284 CVE-2026-2666: A flaw has been found in mingSoft MCMS 6.1.1. The affected element is an unknown function of the fil
A flaw has been found in mingSoft MCMS 6.1.1. The affected element is an unknown function of the file /ms/file/uploadTemplate.do of the component Template Archive Handler. Executing a manipulation of the argument File can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used.
nvd
CVE-2022-36272P3CRITICALCVSS 9.8v5.2.82022-08-16
CVE-2022-36272 [CRITICAL] CWE-89 CVE-2022-36272: Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/page/verify URI
Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/page/verify URI via fieldName parameter.
nvd
CVE-2022-36599P3CRITICALCVSS 9.8v5.2.82022-08-16
CVE-2022-36599 [CRITICAL] CWE-89 CVE-2022-36599: Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/model/delete UR
Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/model/delete URI via models Lists.
nvd
CVE-2022-47042P3HIGHCVSS 8.8v5.2.8v5.2.9+1 more2023-01-26
CVE-2022-47042 [HIGH] CWE-434 CVE-2022-47042: MCMS v5.2.10 and below was discovered to contain an arbitrary file write vulnerability via the compo
MCMS v5.2.10 and below was discovered to contain an arbitrary file write vulnerability via the component ms/template/writeFileContent.do.
nvd
CVE-2022-23899P3CRITICALCVSS 9.8v5.2.52022-03-03
CVE-2022-23899 [CRITICAL] CWE-89 CVE-2022-23899: MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via search.do in the file /web/M
MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via search.do in the file /web/MCmsAction.java.
nvd
CVE-2026-4953P3HIGHCVSS 7.3v5.0v5.1+4 more2026-03-27
CVE-2026-4953 [HIGH] CWE-918 CVE-2026-4953: A weakness has been identified in mingSoft MCMS up to 5.5.0. This issue affects the function catchIm
A weakness has been identified in mingSoft MCMS up to 5.5.0. This issue affects the function catchImage of the file net/mingsoft/cms/action/BaseAction.java of the component Editor Endpoint. Executing a manipulation of the argument catchimage can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made
nvd
CVE-2020-22755P3HIGHCVSS 8.8v5.02023-05-08
CVE-2020-22755 [HIGH] CWE-434 CVE-2020-22755: File upload vulnerability in MCMS 5.0 allows attackers to execute arbitrary code via a crafted thumb
File upload vulnerability in MCMS 5.0 allows attackers to execute arbitrary code via a crafted thumbnail. A different vulnerability than CVE-2022-31943.
nvd
CVE-2024-42991P3HIGHCVSS 8.1v5.4.12024-09-03
CVE-2024-42991 [HIGH] CWE-434 CVE-2024-42991: MCMS v5.4.1 has front-end file upload vulnerability which can lead to remote command execution.
MCMS v5.4.1 has front-end file upload vulnerability which can lead to remote command execution.
nvd
CVE-2021-46383P3HIGHCVSS 7.5≤ 5.2.52022-01-26
CVE-2021-46383 [HIGH] CWE-89 CVE-2021-46383: https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: SQL Injection. The impact is: obtain se
https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: SQL Injection. The impact is: obtain sensitive information (remote). The component is: net.mingsoft.mdiy.action.web.DictAction#list. The attack vector is: 0 or sleep(3). ¶¶ MCMS has a sql injection vulnerability through which attacker can get sensitive information from the database.
nvd
CVE-2021-46385P3HIGHCVSS 7.5≤ 5.2.52022-01-26
CVE-2021-46385 [HIGH] CWE-89 CVE-2021-46385: https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: SQL Injection. The impact is: obtain se
https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: SQL Injection. The impact is: obtain sensitive information (remote). The component is: net.mingsoft.mdiy.action.FormDataAction#queryData. The attack vector is: 0 or sleep(3). ¶¶ MCMS has a sql injection vulnerability through which attacker can get sensitive information from the database.
nvd
CVE-2020-20913P3CRITICALCVSS 9.8v4.7.22023-04-04
CVE-2020-20913 [CRITICAL] CWE-89 CVE-2020-20913: SQL Injection vulnerability found in Ming-Soft MCMS v.4.7.2 allows a remote attacker to execute arbi
SQL Injection vulnerability found in Ming-Soft MCMS v.4.7.2 allows a remote attacker to execute arbitrary code via basic_title parameter.
nvd
CVE-2026-4954P3MEDIUMCVSS 6.3v5.0v5.1+4 more2026-03-27
CVE-2026-4954 [MEDIUM] CWE-74 CVE-2026-4954: A security vulnerability has been detected in mingSoft MCMS up to 5.5.0. Impacted is the function li
A security vulnerability has been detected in mingSoft MCMS up to 5.5.0. Impacted is the function list of the file net/mingsoft/cms/action/web/ContentAction.java of the component Web Content List Endpoint. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.
nvd
CVE-2021-46037P3HIGHCVSS 8.1v5.2.42022-02-18
CVE-2021-46037 [HIGH] CVE-2021-46037: MCMS v5.2.4 was discovered to contain an arbitrary file deletion vulnerability via the component /te
MCMS v5.2.4 was discovered to contain an arbitrary file deletion vulnerability via the component /template/unzip.do.
nvd
CVE-2018-18831P3HIGHCVSS 7.5v4.6.52018-10-30
CVE-2018-18831 [HIGH] CWE-22 CVE-2018-18831: An issue was discovered in com\mingsoft\cms\action\GeneraterAction.java in MCMS 4.6.5. An attacker c
An issue was discovered in com\mingsoft\cms\action\GeneraterAction.java in MCMS 4.6.5. An attacker can write a .jsp file (in the position parameter) to an arbitrary directory via a ../ Directory Traversal in the url parameter.
nvd