CVE-2026-2864
Received Received - Intake
Path Traversal in megagao SSM-ERP PictureController Allows Remote Exploit

Publication date: 2026-02-21

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. This affects the function pictureDelete of the file PictureController.java. Such manipulation of the argument picName leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. This product is distributed under two entirely different names. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-21
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-21
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2864
EUVD
EUVD-2026-7512
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
megagao production_ssm to 4288d53bd35757b27f2d070057aefb2c07bdd097 (exc)
feng_ha_ha ssm_erp to 4288d53bd35757b27f2d070057aefb2c07bdd097 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2864 is a path traversal vulnerability found in the production_ssm and feng_ha_ha/megagao ssm-erp software, specifically in the pictureDelete function of the PictureController.java file.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the application does not properly sanitize the input parameter picName, allowing an attacker to manipulate this argument to include directory traversal characters such as "..\\".'}, {'type': 'paragraph', 'content': 'This improper filtering enables an attacker to traverse directories on the server and delete arbitrary files outside the intended directory.'}, {'type': 'paragraph', 'content': 'The attack can be launched remotely via the /pic/delete interface by sending crafted requests that exploit this flaw.'}] [1, 2, 3]

Impact Analysis

This vulnerability allows an attacker to delete arbitrary files on the affected server by exploiting the path traversal flaw.

Such unauthorized file deletion can lead to loss of important data, disruption of services, and compromise of system integrity and availability.

Because the attack can be performed remotely without user interaction, it increases the risk of exploitation.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for HTTP POST requests to the /pic/delete interface that include path traversal patterns in the picName parameter, such as sequences containing "..\\" or "../" which attempt to traverse directories.'}, {'type': 'paragraph', 'content': 'A proof-of-concept exploit involves sending a crafted HTTP POST request with picName=..\\..\\..\\123.txt to the /production_ssm_war_exploded/pic/delete endpoint, which can be used to test if the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts or test the vulnerability include using curl to send such crafted requests:'}, {'type': 'list_item', 'content': 'curl -X POST -d "picName=..\\..\\..\\123.txt" http://<target-host>/production_ssm_war_exploded/pic/delete'}, {'type': 'list_item', 'content': 'curl -X POST -d "picName=../../../../etc/passwd" http://<target-host>/production_ssm_war_exploded/pic/delete'}, {'type': 'paragraph', 'content': 'Additionally, network intrusion detection systems (NIDS) or web application firewalls (WAF) can be configured to alert on requests containing directory traversal patterns in the picName parameter targeting the /pic/delete endpoint.'}] [1, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Currently, no known countermeasures or official patches exist for this vulnerability as the project maintainers have not responded to the issue report.'}, {'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Restrict access to the /pic/delete endpoint to trusted users or internal networks only.'}, {'type': 'list_item', 'content': 'Implement input validation and sanitization at the web server or application firewall level to block requests containing directory traversal sequences such as "..\\" or "../" in the picName parameter.'}, {'type': 'list_item', 'content': 'Monitor logs for suspicious requests attempting directory traversal and respond accordingly.'}, {'type': 'list_item', 'content': 'Consider replacing the vulnerable product with an alternative solution if feasible, as no patches are currently available.'}] [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2864. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart