CVE-2026-2860
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2026-02-21

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. Impacted is an unknown function of the file EmployeeController.java. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. This product is distributed under two entirely different names. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-21
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2026-02-21
EPSS Evaluated
2026-05-05
NVD
CVE-2026-2860
EUVD
EUVD-2026-7737
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
feng_ha_ha production_ssm to 1.0 (inc)
feng_ha_ha ssm_erp to 1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-2860 is an improper authorization vulnerability found in the EmployeeController.java file of the feng_ha_ha/megagao ssm-erp and production_ssm projects. The vulnerability arises because the system fails to perform proper authorization checks on several critical interfaces, allowing unauthorized users to access and interact with sensitive data and perform file operations without permission.

  • Affected interfaces include endpoints such as /employee/list, /material/list, /user/list, /file/upload, /file/download, /file/delete, /pic/upload, and /pic/delete.
  • The vulnerability allows remote attackers to bypass authorization controls and access or manipulate sensitive information and resources.

The issue is due to missing or incomplete access control implementations, despite the use of the Shiro security framework, which leaves critical endpoints unprotected.


How can this vulnerability impact me? :

This vulnerability can have significant security impacts by allowing unauthorized users to access sensitive data and perform unauthorized actions on the system.

  • Unauthorized access to sensitive employee information, such as user ID card details.
  • Ability to upload, download, or delete files and pictures without proper authorization.
  • Perform unauthorized operations like adding departments or deleting customers.

Overall, the vulnerability compromises the confidentiality, integrity, and availability of the system, potentially leading to data breaches, data manipulation, and disruption of services.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing access to several critical endpoints that lack proper authorization controls. Key vulnerable endpoints include: /employee/list, /material/list, /user/list, /file/upload, /file/download, /file/delete, /pic/upload, and /pic/delete.'}, {'type': 'paragraph', 'content': 'You can use HTTP request commands such as curl to check if these endpoints allow unauthorized access. For example, to test unauthorized access to the employee list, you can run:'}, {'type': 'list_item', 'content': 'curl -X GET http://<target-host>/employee/list'}, {'type': 'list_item', 'content': 'curl -X POST http://<target-host>/department/insert -d \'{"departmentName":"test"}\''}, {'type': 'list_item', 'content': 'curl -X POST http://<target-host>/custom/delete_batch -d \'{"ids":[1,2,3]}\''}, {'type': 'paragraph', 'content': 'If these commands succeed without authentication or authorization errors, it indicates the presence of the vulnerability due to improper access control.'}] [1, 3]


What immediate steps should I take to mitigate this vulnerability?

Currently, there are no known countermeasures or official patches available for this vulnerability as the project maintainers have not responded to the issue.

Immediate mitigation steps include:

  • Restrict network access to the affected endpoints by implementing firewall rules or network segmentation to limit exposure.
  • Implement external access control mechanisms such as reverse proxies or API gateways that enforce authentication and authorization.
  • Monitor logs and network traffic for suspicious access patterns to these endpoints.
  • Consider replacing the vulnerable software with alternative ERP solutions that provide proper access control.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart