CVE-2026-4953 MEDIUM

CVE-2026-4953: mingSoft MCMS Editor Endpoint BaseAction.java catchImage server-side request forgery

Vendor Mingsoft

Product MCMS

Weakness CWE-918 · SSRF

Published March 27, 2026

Last update March 30, 2026

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

Description

A weakness has been identified in mingSoft MCMS up to 5.5.0. This issue affects the function catchImage of the file net/mingsoft/cms/action/BaseAction.java of the component Editor Endpoint. Executing a manipulation of the argument catchimage can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.

Key dates

Disclosure timeline

March 27, 2026 CVE published

March 30, 2026 Record updated

Identifiers

CVE CVE-2026-4953

CWE CWE-918

CVSS 6.9 / MEDIUM

Affected versions

Vendor Mingsoft

Product MCMS

Affected 5.0

Vendor Mingsoft

Product MCMS

Affected 5.1

Vendor Mingsoft

Product MCMS

Affected 5.2

Vendor Mingsoft

Product MCMS

Affected 5.3

Vendor Mingsoft

Product MCMS

Affected 5.4

Vendor Mingsoft

Product MCMS

Affected 5.5.0