CVE-2026-2863
Received Received - Intake
Path Traversal in megagao ssm-erp deleteFile Function

Publication date: 2026-02-21

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. The impacted element is the function deleteFile of the file FileServiceImpl.java. This manipulation causes path traversal. The attack can be initiated remotely. The exploit has been published and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. This product is distributed under two entirely different names. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-21
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-21
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2863
EUVD
EUVD-2026-7533
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
megagao production_ssm to 4288d53bd35757b27f2d070057aefb2c07bdd097 (inc)
megagao ssm-erp to 4288d53bd35757b27f2d070057aefb2c07bdd097 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2863 is a path traversal vulnerability in the production_ssm and ssm-erp systems by megagao. It exists in the deleteFile function of FileServiceImpl.java, where the system improperly handles file path inputs in the /file/delete interface.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the system filters only forward slashes ("/") but fails to filter backslash ("\\") characters. This allows attackers to use sequences like "..\\" to traverse directories and delete arbitrary files outside the intended directory.'}, {'type': 'paragraph', 'content': 'An attacker can remotely exploit this flaw by sending crafted requests with manipulated fileName parameters containing directory traversal characters, enabling deletion of files outside the designated upload directory.'}] [1, 2, 3]

Impact Analysis

This vulnerability allows an attacker to delete arbitrary files on the affected system remotely by exploiting improper input sanitization in the file deletion functionality.

The impact includes loss of data integrity and availability, as critical files outside the intended directory can be deleted, potentially disrupting system operations or causing data loss.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the /file/delete interface that include directory traversal sequences, especially those using backslash characters ("\\") such as "..\\" in the fileName parameter.'}, {'type': 'paragraph', 'content': 'A typical detection method involves inspecting web server logs or network traffic for requests like:'}, {'type': 'list_item', 'content': 'POST /production_ssm_war_exploded/file/delete with payload fileName=......\\123.txt'}, {'type': 'paragraph', 'content': 'Commands to detect such attempts could include using tools like grep on server logs to find suspicious patterns:'}, {'type': 'list_item', 'content': "grep -i 'fileName=.*\\\\' /path/to/access.log"}, {'type': 'list_item', 'content': "grep -E 'fileName=.*\\.\\.\\\\' /path/to/access.log"}, {'type': 'paragraph', 'content': 'Additionally, network intrusion detection systems (NIDS) can be configured to alert on HTTP POST requests containing directory traversal sequences in parameters.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting or disabling the /file/delete interface if it is not essential.'}, {'type': 'paragraph', 'content': 'If the interface must remain active, implement strict input validation and sanitization on the fileName parameter to reject any directory traversal characters, especially backslashes ("\\") and sequences like "..\\".'}, {'type': 'paragraph', 'content': 'Additionally, monitor and block suspicious requests attempting directory traversal patterns.'}, {'type': 'paragraph', 'content': "Since no official patch or version update is available due to the product's rolling release nature and lack of response from the project, consider replacing the vulnerable product with a secure alternative."}] [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2863. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart