CVE-2026-2954
Received Received - Intake
Remote Injection Vulnerability in Dromara UJCMS ImportDataController

Publication date: 2026-02-22

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in Dromara UJCMS 10.0.2. Impacted is the function importChanel of the file /api/backend/ext/import-data/import-channel of the component ImportDataController. Performing a manipulation of the argument driverClassName/url results in injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-22
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2954
EUVD
EUVD-2026-7552
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ujcms ujcms 10.0.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2954 is an injection vulnerability in Dromara UJCMS version 10.0.2, specifically in the importChanel function of the ImportDataController component. The vulnerability occurs because the application accepts user-supplied parameters driverClassName and url without proper validation and uses them directly to establish a JDBC database connection.

This lack of validation allows attackers to perform injection attacks remotely by manipulating these parameters. The attacks can lead to arbitrary file reads or remote code execution depending on the database drivers present in the application.

Impact Analysis

This vulnerability can impact you in several serious ways:

  • Arbitrary File Read: Attackers can trick the server into reading and uploading sensitive local files such as /etc/passwd or C:/Windows/win.ini by connecting to a malicious rogue MySQL server.
  • Remote Code Execution (RCE): If certain vulnerable database drivers are present, attackers can execute arbitrary system commands on the server by crafting malicious JDBC URLs.
  • Compromise of confidentiality, integrity, and availability of the affected system.

The vulnerability is remotely exploitable, has a public proof-of-concept exploit, and no known vendor mitigations are available.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability affects the importChanel endpoint of the ImportDataController in Dromara UJCMS 10.0.2, where unvalidated driverClassName and url parameters are passed to DriverManagerDataSource. Detection involves monitoring for suspicious JDBC URL or driverClassName parameters that could indicate injection attempts.'}, {'type': 'paragraph', 'content': 'Since the vulnerability allows injection via JDBC URLs, network detection could focus on identifying unusual or malicious JDBC connection attempts, such as those using MySQL LOAD DATA LOCAL INFILE or H2 RUNSCRIPT commands.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts might include searching application logs or network traffic for suspicious JDBC URLs or driverClassName parameters. For example, using grep on server logs:'}, {'type': 'list_item', 'content': "grep -i 'driverClassName' /path/to/ujcms/logs/*"}, {'type': 'list_item', 'content': "grep -i 'jdbc:' /path/to/ujcms/logs/*"}, {'type': 'list_item', 'content': 'tcpdump or Wireshark filters to capture suspicious JDBC traffic patterns or connections to rogue MySQL servers.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unexpected outbound connections to unknown database servers or unusual file read operations triggered by the LOAD DATA LOCAL INFILE feature could help detect exploitation.'}] [1, 3]

Mitigation Strategies

No vendor patches or fixes are currently available for this vulnerability, and the vendor did not respond to early notifications.

Immediate mitigation steps include:

  • Restrict or disable access to the vulnerable importChanel endpoint to prevent remote exploitation.
  • Implement input validation or filtering on the driverClassName and url parameters to block malicious JDBC URLs or driver names.
  • Monitor and block suspicious outbound connections to unknown or rogue database servers.
  • Consider replacing or upgrading the affected component or product if possible.

Users should also apply network-level protections such as firewall rules to limit access to the affected service and monitor logs for signs of exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2954. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart