CVE-2026-2953
Path Traversal in Dromara UJCMS Template Handler Allows Remote Exploit
Publication date: 2026-02-22
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ujcms | ujcms | 10.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2953 is a path traversal vulnerability in Dromara UJCMS version 101.2, specifically in the deleteDirectory function of the WebFileTemplateController.delete file within the Template Handler component.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the application does not properly sanitize external input used to build file or directory paths, allowing attackers to manipulate the pathname to access and delete directories outside the intended restricted area.'}, {'type': 'paragraph', 'content': "Although the application uses a blacklist to block common path traversal sequences like '..' and '\\', it fails to validate inputs such as empty strings or root-equivalent paths (e.g., '/'), which can be exploited to recursively delete all files and subdirectories in the template storage root directory."}, {'type': 'paragraph', 'content': "This can lead to the complete removal of website templates, styles, and scripts, severely impacting the website's functionality."}, {'type': 'paragraph', 'content': 'The vulnerability can be exploited remotely, and a proof-of-concept exploit is publicly available.'}] [1, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability allows remote attackers to perform unauthorized directory deletions through path traversal.'}, {'type': 'paragraph', 'content': 'Exploitation can lead to the recursive deletion of all files and subdirectories within the template storage root directory, including critical website components such as templates, styles, and scripts.'}, {'type': 'paragraph', 'content': "As a result, the system's integrity and availability are compromised, potentially causing denial of service by wiping essential parts of the website."}, {'type': 'paragraph', 'content': 'Because the vendor has not provided any mitigations or fixes, affected users may need to consider replacing the product to avoid this risk.'}] [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves a path traversal flaw in the deleteDirectory function of Dromara UJCMS 101.2, which can be exploited remotely to delete critical template files. Detection would involve monitoring for unusual or unauthorized deletion requests targeting the template storage directories.'}, {'type': 'paragraph', 'content': 'Since the vulnerability exploits crafted inputs such as empty strings or root-equivalent paths (e.g., "/") that bypass blacklist filters, detection can focus on identifying HTTP requests to the WebFileTemplateController.delete endpoint containing suspicious parameters.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect potential exploitation attempts include:'}, {'type': 'list_item', 'content': 'Using web server logs, grep for requests to the vulnerable endpoint with suspicious parameters, for example: `grep \'WebFileTemplateController.delete\' /var/log/nginx/access.log | grep -E \'id=\\/|id=""\'`'}, {'type': 'list_item', 'content': 'Monitor filesystem changes in the template storage directory for unexpected recursive deletions, e.g., using `inotifywait` or similar tools.'}, {'type': 'list_item', 'content': 'Use network monitoring tools to detect unusual HTTP DELETE or POST requests targeting the template handler.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
There are no known vendor-provided patches or mitigations for this vulnerability as the vendor did not respond to the disclosure.
Immediate mitigation steps include:
- Restrict access to the vulnerable WebFileTemplateController.delete endpoint by implementing network-level controls such as firewall rules or web application firewall (WAF) rules to block unauthorized or suspicious requests.
- Monitor and audit file system changes in the template storage directory to quickly detect and respond to unauthorized deletions.
- Consider disabling or restricting the functionality of the deleteDirectory feature if possible.
- Evaluate replacing the affected product with a more secure alternative due to the lack of vendor response and available fixes.