Maven package
net.mingsoft/ms-mcms
pkg:maven/net.mingsoft/ms-mcms
Vulnerabilities (39)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-2666 | Med | 4.7 | <= 6.1.1 | — | Feb 18, 2026 | A flaw has been found in mingSoft MCMS 6.1.1. The affected element is an unknown function of the file /ms/file/uploadTemplate.do of the component Template Archive Handler. Executing a manipulation of the argument File can lead to unrestricted upload. The attack can be launched re | |
| CVE-2025-60837 | — | <= 6.0.1 | — | Oct 23, 2025 | A reflected cross-site scripting (XSS) vulnerability in MCMS v6.0.1 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload. | ||
| CVE-2025-56316 | — | >= 5.5.0, < 6.0.2 | 6.0.2 | Oct 17, 2025 | A SQL injection vulnerability in the content_title parameter of the /cms/content/list endpoint in MCMS 5.5.0 allows remote attackers to execute arbitrary SQL queries via unsanitized input in the FreeMarker template rendering. | ||
| CVE-2025-29287 | — | < 5.4.4 | 5.4.4 | Apr 21, 2025 | An arbitrary file upload vulnerability in the ueditor component of MCMS v5.4.3 allows attackers to execute arbitrary code via uploading a crafted file. | ||
| CVE-2024-22567 | — | <= 5.3.5 | — | Feb 5, 2024 | File Upload vulnerability in MCMS 5.3.5 allows attackers to upload arbitrary files via crafted POST request to /ms/file/upload.do. | ||
| CVE-2023-51282 | — | <= 5.2.4 | — | Jan 16, 2024 | An issue in mingSoft MCMS v.5.2.4 allows a a remote attacker to obtain sensitive information via a crafted script to the password parameter. | ||
| CVE-2023-50578 | — | <= 5.2.9 | — | Dec 30, 2023 | Mingsoft MCMS v5.2.9 was discovered to contain a SQL injection vulnerability via the categoryType parameter at /content/list.do. | ||
| CVE-2023-3990 | — | < 5.3.2 | 5.3.2 | Jul 28, 2023 | A vulnerability classified as problematic has been found in Mingsoft MCMS up to 5.3.1. This affects an unknown part of the file search.do of the component HTTP POST Request Handler. The manipulation of the argument style leads to cross site scripting. It is possible to initiate t | ||
| CVE-2020-22755 | — | <= 5.0.0 | — | May 8, 2023 | File upload vulnerability in MCMS 5.0 allows attackers to execute arbitrary code via a crafted thumbnail. A different vulnerability than CVE-2022-31943. | ||
| CVE-2020-20913 | — | < 5.1 | 5.1 | Apr 4, 2023 | SQL Injection vulnerability found in Ming-Soft MCMS v.4.7.2 allows a remote attacker to execute arbitrary code via basic_title parameter. | ||
| CVE-2022-47042 | — | < 5.2.11 | 5.2.11 | Jan 24, 2023 | MCMS v5.2.10 and below was discovered to contain an arbitrary file write vulnerability via the component ms/template/writeFileContent.do. | ||
| CVE-2022-4640 | — | <= 5.2.9 | — | Dec 21, 2022 | A vulnerability has been found in Mingsoft MCMS 5.2.9 and classified as problematic. Affected by this vulnerability is the function save of the component Article Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been dis | ||
| CVE-2022-4375 | — | < 5.2.10 | 5.2.10 | Dec 9, 2022 | A vulnerability was found in Mingsoft MCMS up to 5.2.9. It has been classified as critical. Affected is an unknown function of the file /cms/category/list. The manipulation of the argument sqlWhere leads to sql injection. It is possible to launch the attack remotely. The exploit | ||
| CVE-2022-4350 | — | <= 5.2.8 | — | Dec 8, 2022 | A vulnerability, which was classified as problematic, was found in Mingsoft MCMS 5.2.8. Affected is an unknown function of the file search.do. The manipulation of the argument content_title leads to cross site scripting. It is possible to launch the attack remotely. The exploit h | ||
| CVE-2022-36599 | — | <= 5.2.8 | — | Aug 16, 2022 | Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/model/delete URI via models Lists. | ||
| CVE-2022-36272 | — | <= 5.2.8 | — | Aug 16, 2022 | Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/page/verify URI via fieldName parameter. | ||
| CVE-2022-31943 | — | — | — | Jul 1, 2022 | MCMS v5.2.8 was discovered to contain an arbitrary file upload vulnerability. | ||
| CVE-2022-29647 | — | <= 5.2.7 | — | May 31, 2022 | An issue was discovered in MCMS 5.2.7. There is a CSRF vulnerability that can add an administrator account via ms/basic/manager/save.do. | ||
| CVE-2022-30506 | — | <= 5.2.7 | — | May 27, 2022 | An arbitrary file upload vulnerability was discovered in MCMS 5.2.7, allowing an attacker to execute arbitrary code through a crafted ZIP file. | ||
| CVE-2022-27340 | — | <= 5.2.7 | — | Apr 22, 2022 | MCMS v5.2.7 contains a Cross-Site Request Forgery (CSRF) via /role/saveOrUpdateRole.do. This vulnerability allows attackers to escalate privileges and modify data. |
- affected <= 6.1.1
A flaw has been found in mingSoft MCMS 6.1.1. The affected element is an unknown function of the file /ms/file/uploadTemplate.do of the component Template Archive Handler. Executing a manipulation of the argument File can lead to unrestricted upload. The attack can be launched re
- CVE-2025-60837Oct 23, 2025affected <= 6.0.1
A reflected cross-site scripting (XSS) vulnerability in MCMS v6.0.1 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload.
- CVE-2025-56316Oct 17, 2025affected >= 5.5.0, < 6.0.2fixed 6.0.2
A SQL injection vulnerability in the content_title parameter of the /cms/content/list endpoint in MCMS 5.5.0 allows remote attackers to execute arbitrary SQL queries via unsanitized input in the FreeMarker template rendering.
- CVE-2025-29287Apr 21, 2025affected < 5.4.4fixed 5.4.4
An arbitrary file upload vulnerability in the ueditor component of MCMS v5.4.3 allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2024-22567Feb 5, 2024affected <= 5.3.5
File Upload vulnerability in MCMS 5.3.5 allows attackers to upload arbitrary files via crafted POST request to /ms/file/upload.do.
- CVE-2023-51282Jan 16, 2024affected <= 5.2.4
An issue in mingSoft MCMS v.5.2.4 allows a a remote attacker to obtain sensitive information via a crafted script to the password parameter.
- CVE-2023-50578Dec 30, 2023affected <= 5.2.9
Mingsoft MCMS v5.2.9 was discovered to contain a SQL injection vulnerability via the categoryType parameter at /content/list.do.
- CVE-2023-3990Jul 28, 2023affected < 5.3.2fixed 5.3.2
A vulnerability classified as problematic has been found in Mingsoft MCMS up to 5.3.1. This affects an unknown part of the file search.do of the component HTTP POST Request Handler. The manipulation of the argument style leads to cross site scripting. It is possible to initiate t
- CVE-2020-22755May 8, 2023affected <= 5.0.0
File upload vulnerability in MCMS 5.0 allows attackers to execute arbitrary code via a crafted thumbnail. A different vulnerability than CVE-2022-31943.
- CVE-2020-20913Apr 4, 2023affected < 5.1fixed 5.1
SQL Injection vulnerability found in Ming-Soft MCMS v.4.7.2 allows a remote attacker to execute arbitrary code via basic_title parameter.
- CVE-2022-47042Jan 24, 2023affected < 5.2.11fixed 5.2.11
MCMS v5.2.10 and below was discovered to contain an arbitrary file write vulnerability via the component ms/template/writeFileContent.do.
- CVE-2022-4640Dec 21, 2022affected <= 5.2.9
A vulnerability has been found in Mingsoft MCMS 5.2.9 and classified as problematic. Affected by this vulnerability is the function save of the component Article Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been dis
- CVE-2022-4375Dec 9, 2022affected < 5.2.10fixed 5.2.10
A vulnerability was found in Mingsoft MCMS up to 5.2.9. It has been classified as critical. Affected is an unknown function of the file /cms/category/list. The manipulation of the argument sqlWhere leads to sql injection. It is possible to launch the attack remotely. The exploit
- CVE-2022-4350Dec 8, 2022affected <= 5.2.8
A vulnerability, which was classified as problematic, was found in Mingsoft MCMS 5.2.8. Affected is an unknown function of the file search.do. The manipulation of the argument content_title leads to cross site scripting. It is possible to launch the attack remotely. The exploit h
- CVE-2022-36599Aug 16, 2022affected <= 5.2.8
Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/model/delete URI via models Lists.
- CVE-2022-36272Aug 16, 2022affected <= 5.2.8
Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/page/verify URI via fieldName parameter.
- CVE-2022-31943Jul 1, 2022
MCMS v5.2.8 was discovered to contain an arbitrary file upload vulnerability.
- CVE-2022-29647May 31, 2022affected <= 5.2.7
An issue was discovered in MCMS 5.2.7. There is a CSRF vulnerability that can add an administrator account via ms/basic/manager/save.do.
- CVE-2022-30506May 27, 2022affected <= 5.2.7
An arbitrary file upload vulnerability was discovered in MCMS 5.2.7, allowing an attacker to execute arbitrary code through a crafted ZIP file.
- CVE-2022-27340Apr 22, 2022affected <= 5.2.7
MCMS v5.2.7 contains a Cross-Site Request Forgery (CSRF) via /role/saveOrUpdateRole.do. This vulnerability allows attackers to escalate privileges and modify data.
Page 1 of 2