VYPR
← All advisories
Critical severityNVD Advisory· Published Jan 26, 2022· Updated Aug 4, 2024

CVE-2021-46386

CVE-2021-46386

Description

File upload vulnerability in mingSoft MCMS through 5.2.5, allows remote attackers to execute arbitrary code via a crafted jspx webshell to net.mingsoft.basic.action.web.FileAction#upload.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

File upload vulnerability in MCMS through 5.2.5 allows remote attackers to execute arbitrary code via a crafted jspx webshell.

Vulnerability

A file upload vulnerability exists in the net.mingsoft.basic.action.web.FileAction#upload endpoint of mingSoft MCMS through version 5.2.5 [1][2]. The application fails to properly validate uploaded file types, allowing an attacker to upload a malicious .jspx file that can be executed by the server.

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by sending a crafted HTTP request to the upload endpoint with a .jspx webshell payload [4]. No special privileges or user interaction are required; the attacker only needs network access to the vulnerable MCMS instance.

Impact

Successful exploitation results in remote code execution (RCE) with the privileges of the web server process. This allows the attacker to execute arbitrary commands, access sensitive data, modify application files, and potentially pivot to other systems on the network.

Mitigation

As of the publication date, no official patch has been released for this vulnerability [2][4]. Users are advised to upgrade to a version beyond 5.2.5 if available, or implement strict file type validation and access controls on the upload endpoint. The issue is tracked in the project's issue tracker [4].

References
  1. GitHub - ming-soft/MCMS: 完整开源!Java快速开发平台!基于Spring、SpringMVC、Mybatis架构,MStore提供更多好用的插件与模板(文章、商城、微信、论坛、会员、评论、支付、积分、工作流、任务调度等,同时提供上百套免费模板任意选择),价值源自分享!铭飞系统不仅一套简单好用的开源系统、更是一整套优质的开源生态内容体系。铭飞的使命就是降低开发成本提高开发效率,提供全方位的�…
  2. NVD - CVE-2021-46386
  3. MCMS存在未授权文件上传漏洞 · Issue #I4R0GW · 铭飞/MCMS - Gitee

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
net.mingsoft:ms-mcmsMaven
<= 5.2.5

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.