net.mingsoft:ms-mcms (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package net.mingsoft:ms-mcms, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (39)
CVE-2025-56316 — CVSS 9.8 (critical): A SQL injection vulnerability in the content_title parameter of the /cms/content/list endpoint in MCMS 5.5.0 allows remote attackers to…
CVE-2020-20913 — CVSS 9.8 (critical): SQL Injection vulnerability found in Ming-Soft MCMS v.4.7.2 allows a remote attacker to execute arbitrary code via basic_title parameter.
CVE-2022-30506 — CVSS 9.8 (critical): An arbitrary file upload vulnerability was discovered in MCMS 5.2.7, allowing an attacker to execute arbitrary code through a crafted ZIP…
CVE-2018-18830 — CVSS 9.8 (critical): An issue was discovered in com\mingsoft\basic\action\web\FileAction.java in MCMS 4.6.5. Since the upload interface does not verify the user…
CVE-2020-23262 — CVSS 9.8 (critical): An issue was discovered in ming-soft MCMS v5.0, where a malicious user can exploit SQL injection without logging in through /mcms/view.do.
CVE-2021-44868 — CVSS 9.8 (critical): A problem was found in ming-soft MCMS v5.1. There is a sql injection vulnerability in /ms/cms/content/list.do
CVE-2021-46036 — CVSS 9.8 (critical): An arbitrary file upload vulnerability in the component /ms/file/uploadTemplate.do of MCMS v5.2.4 allows attackers to execute arbitrary…
CVE-2025-29287 — CVSS 9.8 (critical): An arbitrary file upload vulnerability in the ueditor component of MCMS v5.4.3 allows attackers to execute arbitrary code via uploading a…
CVE-2023-50578 — CVSS 9.8 (critical): Mingsoft MCMS v5.2.9 was discovered to contain a SQL injection vulnerability via the categoryType parameter at /content/list.do.
CVE-2022-36599 — CVSS 9.8 (critical): Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/model/delete URI via models Lists.
CVE-2021-46384 — CVSS 9.8 (critical): https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: RCE. The impact is: execute arbitrary code (remote). The attack vector is…
CVE-2022-36272 — CVSS 9.8 (critical): Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/page/verify URI via fieldName parameter.
CVE-2021-46386 — CVSS 9.8 (critical): File upload vulnerability in mingSoft MCMS through 5.2.5, allows remote attackers to execute arbitrary code via a crafted jspx webshell to…
CVE-2022-22929 — CVSS 9.8 (critical): MCMS v5.2.4 was discovered to have an arbitrary file upload vulnerability in the New Template module, which allows attackers to execute…
CVE-2022-22930 — CVSS 9.8 (critical): A remote code execution (RCE) vulnerability in the Template Management function of MCMS v5.2.4 allows attackers to execute arbitrary code…
CVE-2022-23315 — CVSS 9.8 (critical): MCMS v5.2.4 was discovered to contain an arbitrary file upload vulnerability via the component /ms/template/writeFileContent.do.
CVE-2022-23898 — CVSS 9.8 (critical): MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via the categoryId parameter in the file IContentDao.xml.
CVE-2022-23899 — CVSS 9.8 (critical): MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via search.do in the file /web/MCmsAction.java.
CVE-2021-46063 — CVSS 9.1 (critical): MCMS v5.2.5 was discovered to contain a Server Side Template Injection (SSTI) vulnerability via the Template Management module.
CVE-2018-17366 — CVSS 8.8 (high): An issue was discovered in MCMS 4.6.5. There is a CSRF vulnerability that can add an administrator account via ms/basic/manager/save.do.
CVE-2020-22755 — CVSS 8.8 (high): File upload vulnerability in MCMS 5.0 allows attackers to execute arbitrary code via a crafted thumbnail. A different vulnerability than…
CVE-2022-27340 — CVSS 8.8 (high): MCMS v5.2.7 contains a Cross-Site Request Forgery (CSRF) via /role/saveOrUpdateRole.do. This vulnerability allows attackers to escalate…
CVE-2022-29647 — CVSS 8.8 (high): An issue was discovered in MCMS 5.2.7. There is a CSRF vulnerability that can add an administrator account via ms/basic/manager/save.do.
CVE-2022-47042 — CVSS 8.8 (high): MCMS v5.2.10 and below was discovered to contain an arbitrary file write vulnerability via the component ms/template/writeFileContent.do.
CVE-2024-22567 — CVSS 8.8 (high): File Upload vulnerability in MCMS 5.3.5 allows attackers to upload arbitrary files via crafted POST request to /ms/file/upload.do.
CVE-2021-46037 — CVSS 8.1 (high): MCMS v5.2.4 was discovered to contain an arbitrary file deletion vulnerability via the component /template/unzip.do.
CVE-2021-46383 — CVSS 7.5 (high): https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: SQL Injection. The impact is: obtain sensitive information (remote). The…
CVE-2023-51282 — CVSS 7.5 (high): An issue in mingSoft MCMS v.5.2.4 allows a a remote attacker to obtain sensitive information via a crafted script to the password parameter.
CVE-2018-18831 — CVSS 7.5 (high): An issue was discovered in com\mingsoft\cms\action\GeneraterAction.java in MCMS 4.6.5. An attacker can write a .jsp file (in the position…
CVE-2021-46385 — CVSS 7.5 (high): https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: SQL Injection. The impact is: obtain sensitive information (remote). The…
CVE-2021-46062 — CVSS 7.1 (high): MCMS v5.2.5 was discovered to contain an arbitrary file deletion vulnerability via the component oldFileName.
CVE-2022-4375 — CVSS 6.3 (medium): A vulnerability was found in Mingsoft MCMS up to 5.2.9. It has been classified as critical. Affected is an unknown function of the file…
CVE-2025-60837 — CVSS 6.1 (medium): A reflected cross-site scripting (XSS) vulnerability in MCMS v6.0.1 allows attackers to execute arbitrary Javascript in the context of a…
CVE-2026-2666 — CVSS 4.7 (medium): A flaw has been found in mingSoft MCMS 6.1.1. The affected element is an unknown function of the file /ms/file/uploadTemplate.do of the…
CVE-2022-4350 — CVSS 3.5 (low): A vulnerability, which was classified as problematic, was found in Mingsoft MCMS 5.2.8. Affected is an unknown function of the file…
CVE-2022-4640 — CVSS 3.5 (low): A vulnerability has been found in Mingsoft MCMS 5.2.9 and classified as problematic. Affected by this vulnerability is the function save of…
CVE-2023-3990 — CVSS 3.5 (low): A vulnerability classified as problematic has been found in Mingsoft MCMS up to 5.3.1. This affects an unknown part of the file search.do…