Description
A vulnerability has been found in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. This affects the function pictureDelete of the file PictureController.java. Such manipulation of the argument picName leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. This product is distributed under two entirely different names. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Path Traversal
Action: Apply Patch
AI Analysis

Impact

The CVE-2026-2864 vulnerability arises from a path traversal flaw in the pictureDelete function of PictureController.java. The flaw is triggered when an attacker supplies a specially crafted picName argument, causing the application to resolve a file path that escapes the intended directory. Because the vulnerability is exploitable remotely through a standard HTTP request, an attacker with network access to the service can attempt to influence the file path used for deletion. The weakness is a classic example of CWE‑22, whereby the application fails to properly constrain the file system locations it accesses.

Affected Systems

Affected vendors include feng_ha_ha and megagao, each offering the production_ssm and ssm‑erp products. The path traversal flaw exists in all releases up to commit 4288d53bd35757b27f2d070057aefb2c07bdd097. Since the project does not use traditional versioning, no specific version numbers are available, and the flaw is only identified by the commit hash. The application is distributed under two separate project names.

Risk and Exploitability

The CVSS base score is 5.3, indicating a medium severity issue. The EPSS score is below 1 %, suggesting a low likelihood of current exploitation, and the vulnerability is not listed in CISA's KEV catalog. Exploitation requires only network connectivity to the application’s endpoint and the ability to send a crafted picName value. The fact that the exploit has been publicly disclosed implies knowledge of the vulnerability, but no official patch or workaround has yet been released. Until corrective action is taken, the risk remains, particularly if the application is exposed to untrusted users.

Generated by OpenCVE AI on April 18, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the application to the latest commit or apply an official patch that corrects the path traversal in pictureDelete.
  • Ensure that the directory used for storing images has permissions limited to the web process so that the process cannot read or write other files on the system.
  • Validate the picName parameter on the server side, rejecting any values that contain relative paths, "..", or other sequences that could cause directory traversal, and verify that the resolved path remains within the designated image directory.

Generated by OpenCVE AI on April 18, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Megagao
Megagao production Ssm
Megagao ssm-erp
Vendors & Products Megagao
Megagao production Ssm
Megagao ssm-erp

Sat, 21 Feb 2026 07:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. This affects the function pictureDelete of the file PictureController.java. Such manipulation of the argument picName leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. This product is distributed under two entirely different names. The project was informed of the problem early through an issue report but has not responded yet.
Title feng_ha_ha/megagao ssm-erp/production_ssm PictureController.java pictureDelete path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 5.5, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Megagao Production Ssm Ssm-erp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T19:41:53.728Z

Reserved: 2026-02-20T14:17:49.093Z

Link: CVE-2026-2864

cve-icon Vulnrichment

Updated: 2026-02-23T19:41:47.684Z

cve-icon NVD

Status : Deferred

Published: 2026-02-21T08:16:12.377

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2864

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:00:06Z

Weaknesses