CVE-2026-30637
SSRF Vulnerability in OTCMS /admin/read.php Allows Remote Requests
Publication date: 2026-03-27
Last updated on: 2026-03-31
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| otcms | otcms | to 7.66 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-30637 vulnerability allows unauthorized attackers to perform Server-Side Request Forgery (SSRF), local file disclosure, and Cross-Site Scripting (XSS) without authentication or permission checks.
Such vulnerabilities can lead to unauthorized access to internal network resources and sensitive data exposure, which may result in violations of data protection regulations like GDPR and HIPAA that require strict controls on data confidentiality and integrity.
Specifically, the ability to read local files and inject malicious scripts could compromise personal or protected health information, thereby impacting compliance with these standards.
Can you explain this vulnerability to me?
CVE-2026-30637 is a Server-Side Request Forgery (SSRF) vulnerability found in OTCMS versions up to 7.66, specifically in the AnnounContent function of the /admin/read.php file.
The vulnerability occurs because the 'url' parameter passed via a GET request is not validated or sanitized before being used to make HTTP requests from the server.
This allows remote attackers to craft HTTP requests that the server executes, potentially targeting internal services or any remote server, without requiring authentication.
Additionally, attackers can exploit this to read local files on the server using the file:// URL scheme and inject malicious scripts (XSS) by having the server fetch and output harmful content.
How can this vulnerability impact me? :
This vulnerability can have several serious impacts:
- Unauthorized access to internal network resources by making the server perform arbitrary HTTP requests.
- Disclosure of sensitive local files on the server through the file:// URL scheme.
- Cross-Site Scripting (XSS) attacks by injecting malicious scripts into the server's HTML response, potentially compromising users who view the affected pages.
- All these attacks can be performed without any authentication or permission checks, increasing the risk of exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability can be detected by testing the vulnerable endpoint `/admin/read.php?mudi=announContent` with crafted URL parameters to see if the server performs unauthorized HTTP requests or local file reads.
You can use curl commands to test if the server fetches arbitrary URLs without validation. For example:
- curl "http://target-server/admin/read.php?mudi=announContent&url=http://example.com"
- curl "http://target-server/admin/read.php?mudi=announContent&url=file:///etc/passwd" (to test local file read)
Monitoring network traffic for unusual outbound HTTP requests originating from the server to internal or unexpected external addresses can also help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint `/admin/read.php?mudi=announContent` by implementing proper authentication and authorization controls.
Additionally, input validation and sanitization should be applied to the `url` parameter to prevent arbitrary URL requests.
If possible, disable or restrict the use of the vulnerable function `AnnounContent()` until a patch or update is applied.
Network-level controls such as firewall rules can be used to block outgoing requests from the server to internal network resources or untrusted external servers.