CVE-2026-2954 | Dromara UJCMS 10.0.2 ImportDataController import-channel importChanel driverClassName/url injection

A vulnerability was found in Dromara UJCMS 10.0.2. It has been rated as critical. Impacted is the function importChanel of the file /api/backend/ext/import-data/import-channel of the component ImportDataController. Performing a manipulation of the argument driverClassName/url results in injection.

This vulnerability is cataloged as CVE-2026-2954. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-2954 | Dromara UJCMS 10.0.2 ImportDataController import-channel importChanel driverClassName/url injection

Post correlati

CVE-2026-24635 | DevsBlink EduBlink Core Plugin up to 2.0.7 on WordPress filename control

CVE-2024-2137 | All-in-One Addons for Elementor Plugin up to 2.4.8 on WordPress Pricing Widget cross site scripting

CVE-2024-36111 | 1Panel-dev KubePi up to 1.7.x Configuration File improper restriction of security token assignment

CVE-2025-8266 | yanyutao0402 ChanCMS up to 3.1.2 collect.js getArticle targetUrl deserialization (ICLP61)