CVE-2026-2863

A flaw has been found in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. The impacted element is the function deleteFile of the file FileServiceImpl.java. This manipulation causes path traversal. The attack can be initiated remotely. The exploit has been published and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. This product is distributed under two entirely different names. The project was informed of the problem early through an issue report but has not responded yet.

CVSS v3 5.4 MEDIUM
CVSS v2.0 5.5 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

5.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:P

Exploitability : 8.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/megagao/production_ssm/issues/37
https://github.com/megagao/production_ssm/issues/37#issue-3914979380
https://vuldb.com/?ctiid.347102
https://vuldb.com/?id.347102
https://vuldb.com/?submit.754530

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Se ha encontrado una vulnerabilidad en feng_ha_ha/megagao ssm-erp y production_ssm hasta 4288d53bd35757b27f2d070057aefb2c07bdd097 que afecta a la función deleteFile del archivo FileServiceImpl.java. Su manipulación provoca un salto de ruta. El ataque puede iniciarse de forma remota. El exploit ha sido publicado y puede ser utilizado. En este producto se realizan entregas continuas con lanzamientos progresivos, por lo tanto, no hay detalles de versión de las versiones afectadas ni actualizadas. Este producto se distribuye bajo dos nombres completamente diferentes. Antes de la divulgar esta vulnerabilidad se contactó con el proyecto a través de un informe de incidencias, pero aún no ha respondido.

21 Feb 2026, 06:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-21 06:17

Updated : 2026-06-17 10:31

NVD link : CVE-2026-2863

Mitre link : CVE-2026-2863

CVE.ORG link : CVE-2026-2863

JSON object : View

Products Affected

No product.

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

5.4 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

5.5 /10

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2026-2863

5.4^/10

5.5^/10

Attach tags to `CVE-2026-2863`