CVE-2026-4953
Received Received - Intake
Server-Side Request Forgery in mingSoft MCMS Editor Endpoint

Publication date: 2026-03-27

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in mingSoft MCMS up to 5.5.0. This issue affects the function catchImage of the file net/mingsoft/cms/action/BaseAction.java of the component Editor Endpoint. Executing a manipulation of the argument catchimage can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2026-03-27
EPSS Evaluated
2026-05-05
NVD
CVE-2026-4953
EUVD
EUVD-2026-16629
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mingsoft mcms 5.5.0
mingsoft mcms to 5.5.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-4953 is a Server-Side Request Forgery (SSRF) vulnerability found in mingSoft MCMS version 5.5.0, specifically in the editor endpoint's catchImage function.

The vulnerability occurs because the application accepts user-supplied URLs via the catchimage argument and forwards them to a server-side fetch utility without properly validating the URL scheme, hostname, or network boundaries.

This allows an attacker to make the MCMS server send HTTP requests to arbitrary internal or external targets, including localhost, private IP ranges, and cloud metadata service endpoints.

The exploit can be launched remotely without requiring user interaction or special privileges.


How can this vulnerability impact me? :

This vulnerability can have several impacts:

  • Confidentiality: High risk as attackers can access internal HTTP services and cloud metadata endpoints, potentially exposing sensitive credentials or tokens.
  • Integrity: Low risk, primarily involving request forgery, but indirect integrity impacts are possible if internal administrative APIs are accessed.
  • Availability: Low risk, but attackers could use it for internal network probing or flooding.

Overall, attackers can leverage this vulnerability to pivot from the MCMS server into internal networks or cloud infrastructure, exposing sensitive data and credentials.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring requests to the MCMS editor endpoint that include the parameter action=catchimage with source[] URLs pointing to internal IP addresses, localhost, or cloud metadata service hostnames.

Indicators of compromise include outbound connections from the MCMS server to internal IP ranges such as 127.0.0.1, 10.x.x.x, 192.168.x.x, or cloud metadata endpoints like 169.254.169.254.

Suggested detection commands include network traffic inspection and web server log analysis to identify suspicious requests. For example:

  • Using grep to find suspicious requests in web server logs: grep -i 'action=catchimage' /var/log/httpd/access_log | grep -E 'source%5B%5D=http://(127\.0\.0\.1|10\.|192\.168\.|169\.254\.169\.254)'
  • Using tcpdump or similar tools to monitor outbound HTTP requests from the MCMS server to internal or metadata IPs: tcpdump -i eth0 host 169.254.169.254 or tcpdump -i eth0 net 10.0.0.0/8
  • Review application logs for calls to the catchImage function or requests containing source[] parameters with suspicious URLs.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability enables attackers to perform server-side request forgery (SSRF) that can access internal HTTP services and cloud metadata endpoints, potentially exposing sensitive data and credentials.

Such exposure of sensitive information can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access.

The ability to access internal services and cloud metadata may result in confidentiality breaches, undermining compliance with these standards that mandate strict controls on data confidentiality and integrity.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting and validating the URLs accepted by the catchimage function to only allow HTTP and HTTPS schemes.

Block requests targeting internal IP ranges such as loopback (127.0.0.1), site-local, and link-local addresses.

Implement a domain allowlist for remote image sources and disable the remote image capture feature if it is not required.

Apply network-level egress filtering to prevent the MCMS server from accessing cloud metadata endpoints and other sensitive internal services.

Reject unsupported URL schemes such as file://, gopher://, and ftp:// to prevent local file access or other unintended behaviors.

Restrict access to the editor upload actions to authenticated and trusted users only.

Monitor and log suspicious requests to detect potential exploitation attempts.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart