CVE-2026-3026 MEDIUM

CVE-2026-3026: erzhongxmu JEEWMS UEditor getRemoteImage.jsp server-side request forgery

Vendor Erzhongxmu
Product JEEWMS
Weakness CWE-918 · SSRF
Published February 23, 2026
Last update February 25, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability has been found in erzhongxmu JEEWMS 3.7. Affected by this issue is some unknown functionality of the file /plug-in/ueditor/jsp/getRemoteImage.jsp of the component UEditor. The manipulation of the argument upfile leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

February 23, 2026 CVE published
February 25, 2026 Record updated