Description
A security vulnerability has been detected in mingSoft MCMS 迄 5.5.0. Impacted is the function list of the file net/mingsoft/cms/action/web/ContentAction.java of the component Web Content List Endpoint. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.
Published: 2026-03-27
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Remote SQL Injection
Action: Apply Patch
AI Analysis

Impact

The flaw resides in the list action of the ContentAction.java component within mingSoft MCMS, allowing attackers to inject arbitrary SQL through manipulated input. This vitiates the integrity of database queries, potentially exposing sensitive data, modifying records, or even executing destructive commands. The vulnerability directly compromises confidentiality and integrity of the CMS data layer.

Affected Systems

The issue affects mingSoft MCMS versions up to and including 5.5.0. Users of any deployment of this CMS that has not been upgraded beyond 5.5.0 are vulnerable. No other product versions are listed as affected.

Risk and Exploitability

With a CVSS score of 5.3 the severity is moderate; the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the injection remotely via the Web Content List endpoint, and the existence of public exploit code suggests that exploitation risk is tangible should the system remain unpatched.

Generated by OpenCVE AI on March 27, 2026 at 15:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade mingSoft MCMS to a version newer than 5.5.0 or apply the vendor’s security patch for the ContentAction.java list endpoint.
  • If an immediate upgrade is not feasible, restrict or block external access to the Web Content List endpoint at the web server or firewall level.
  • If the endpoint must remain accessible, enforce strict input validation or refactor the code to use parameterized queries to eliminate SQL injection risk.
  • Monitor application logs for suspicious activity related to the ContentAction.java list function.

Generated by OpenCVE AI on March 27, 2026 at 15:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in mingSoft MCMS 迄 5.5.0. Impacted is the function list of the file net/mingsoft/cms/action/web/ContentAction.java of the component Web Content List Endpoint. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.
Title mingSoft MCMS Web Content List Endpoint ContentAction.java list sql injection
First Time appeared Mingsoft
Mingsoft mcms
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:mingsoft:mcms:*:*:*:*:*:*:*:*
Vendors & Products Mingsoft
Mingsoft mcms
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Mingsoft Mcms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-27T14:46:35.586Z

Reserved: 2026-03-27T07:53:22.716Z

Link: CVE-2026-4954

cve-icon Vulnrichment

Updated: 2026-03-27T14:46:32.463Z

cve-icon NVD

Status : Received

Published: 2026-03-27T15:17:02.820

Modified: 2026-03-27T15:17:02.820

Link: CVE-2026-4954

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:28:38Z

Weaknesses