Executive Summary

CVE-2026-30637 is a Server-Side Request Forgery (SSRF) vulnerability found in OTCMS versions up to 7.66, specifically in the AnnounContent function of the /admin/read.php file.

The vulnerability occurs because the 'url' parameter passed via a GET request is not validated or sanitized before being used to make HTTP requests from the server.

This allows remote attackers to craft HTTP requests that the server executes, potentially targeting internal services or any remote server, without requiring authentication.

Additionally, attackers can exploit this to read local files on the server using the file:// URL scheme and inject malicious scripts (XSS) by having the server fetch and output harmful content.

Useful 0 Not Useful 0

Compliance Impact

The CVE-2026-30637 vulnerability allows unauthorized attackers to perform Server-Side Request Forgery (SSRF), local file disclosure, and Cross-Site Scripting (XSS) without authentication or permission checks.

Such vulnerabilities can lead to unauthorized access to internal network resources and sensitive data exposure, which may result in violations of data protection regulations like GDPR and HIPAA that require strict controls on data confidentiality and integrity.

Specifically, the ability to read local files and inject malicious scripts could compromise personal or protected health information, thereby impacting compliance with these standards.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several serious impacts:

• Unauthorized access to internal network resources by making the server perform arbitrary HTTP requests.
• Disclosure of sensitive local files on the server through the file:// URL scheme.
• Cross-Site Scripting (XSS) attacks by injecting malicious scripts into the server's HTML response, potentially compromising users who view the affected pages.
• All these attacks can be performed without any authentication or permission checks, increasing the risk of exploitation.

Useful 0 Not Useful 0

Detection Guidance

The vulnerability can be detected by testing the vulnerable endpoint `/admin/read.php?mudi=announContent` with crafted URL parameters to see if the server performs unauthorized HTTP requests or local file reads.

You can use curl commands to test if the server fetches arbitrary URLs without validation. For example:

• curl "http://target-server/admin/read.php?mudi=announContent&url=http://example.com"
• curl "http://target-server/admin/read.php?mudi=announContent&url=file:///etc/passwd" (to test local file read)

Monitoring network traffic for unusual outbound HTTP requests originating from the server to internal or unexpected external addresses can also help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint `/admin/read.php?mudi=announContent` by implementing proper authentication and authorization controls.

Additionally, input validation and sanitization should be applied to the `url` parameter to prevent arbitrary URL requests.

If possible, disable or restrict the use of the vulnerable function `AnnounContent()` until a patch or update is applied.

Network-level controls such as firewall rules can be used to block outgoing requests from the server to internal network resources or untrusted external servers.

Useful 0 Not Useful 0