CVE-2026-2954
Remote Injection Vulnerability in Dromara UJCMS ImportDataController
Publication date: 2026-02-22
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ujcms | ujcms | 10.0.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-707 | The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2954 is an injection vulnerability in Dromara UJCMS version 10.0.2, specifically in the importChanel function of the ImportDataController component. The vulnerability occurs because the application accepts user-supplied parameters driverClassName and url without proper validation and uses them directly to establish a JDBC database connection.
This lack of validation allows attackers to perform injection attacks remotely by manipulating these parameters. The attacks can lead to arbitrary file reads or remote code execution depending on the database drivers present in the application.
How can this vulnerability impact me? :
This vulnerability can impact you in several serious ways:
- Arbitrary File Read: Attackers can trick the server into reading and uploading sensitive local files such as /etc/passwd or C:/Windows/win.ini by connecting to a malicious rogue MySQL server.
- Remote Code Execution (RCE): If certain vulnerable database drivers are present, attackers can execute arbitrary system commands on the server by crafting malicious JDBC URLs.
- Compromise of confidentiality, integrity, and availability of the affected system.
The vulnerability is remotely exploitable, has a public proof-of-concept exploit, and no known vendor mitigations are available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability affects the importChanel endpoint of the ImportDataController in Dromara UJCMS 10.0.2, where unvalidated driverClassName and url parameters are passed to DriverManagerDataSource. Detection involves monitoring for suspicious JDBC URL or driverClassName parameters that could indicate injection attempts.'}, {'type': 'paragraph', 'content': 'Since the vulnerability allows injection via JDBC URLs, network detection could focus on identifying unusual or malicious JDBC connection attempts, such as those using MySQL LOAD DATA LOCAL INFILE or H2 RUNSCRIPT commands.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts might include searching application logs or network traffic for suspicious JDBC URLs or driverClassName parameters. For example, using grep on server logs:'}, {'type': 'list_item', 'content': "grep -i 'driverClassName' /path/to/ujcms/logs/*"}, {'type': 'list_item', 'content': "grep -i 'jdbc:' /path/to/ujcms/logs/*"}, {'type': 'list_item', 'content': 'tcpdump or Wireshark filters to capture suspicious JDBC traffic patterns or connections to rogue MySQL servers.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unexpected outbound connections to unknown database servers or unusual file read operations triggered by the LOAD DATA LOCAL INFILE feature could help detect exploitation.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
No vendor patches or fixes are currently available for this vulnerability, and the vendor did not respond to early notifications.
Immediate mitigation steps include:
- Restrict or disable access to the vulnerable importChanel endpoint to prevent remote exploitation.
- Implement input validation or filtering on the driverClassName and url parameters to block malicious JDBC URLs or driver names.
- Monitor and block suspicious outbound connections to unknown or rogue database servers.
- Consider replacing or upgrading the affected component or product if possible.
Users should also apply network-level protections such as firewall rules to limit access to the affected service and monitor logs for signs of exploitation attempts.