CVE-2026-2863 (GCVE-0-2026-2863)

Vulnerability from cvelistv5 – Published: 2026-02-21 06:02 – Updated: 2026-02-23 19:25
VLAI?
Title
feng_ha_ha/megagao ssm-erp/production_ssm FileServiceImpl.java deleteFile path traversal
Summary
A flaw has been found in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. The impacted element is the function deleteFile of the file FileServiceImpl.java. This manipulation causes path traversal. The attack can be initiated remotely. The exploit has been published and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. This product is distributed under two entirely different names. The project was informed of the problem early through an issue report but has not responded yet.
Severity ?
5.3 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R
5.4 (Medium)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R
CWE
Assigner
References
URL Tags
https://vuldb.com/?id.347102 vdb-entrytechnical-description
https://vuldb.com/?ctiid.347102 signaturepermissions-required
https://vuldb.com/?submit.754530 third-party-advisory
https://github.com/megagao/production_ssm/issues/37 issue-tracking
https://github.com/megagao/production_ssm/issues/… exploitissue-tracking
Impacted products
Vendor Product Version
feng_ha_ha ssm-erp Affected: 4288d53bd35757b27f2d070057aefb2c07bdd097
Create a notification for this product.
feng_ha_ha production_ssm Affected: 4288d53bd35757b27f2d070057aefb2c07bdd097
Create a notification for this product.
megagao ssm-erp Affected: 4288d53bd35757b27f2d070057aefb2c07bdd097
Create a notification for this product.
megagao production_ssm Affected: 4288d53bd35757b27f2d070057aefb2c07bdd097
Create a notification for this product.
Credits
Jszdk (VulDB User)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2863",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-23T19:25:17.991810Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-23T19:25:45.383Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ssm-erp",
          "vendor": "feng_ha_ha",
          "versions": [
            {
              "status": "affected",
              "version": "4288d53bd35757b27f2d070057aefb2c07bdd097"
            }
          ]
        },
        {
          "product": "production_ssm",
          "vendor": "feng_ha_ha",
          "versions": [
            {
              "status": "affected",
              "version": "4288d53bd35757b27f2d070057aefb2c07bdd097"
            }
          ]
        },
        {
          "product": "ssm-erp",
          "vendor": "megagao",
          "versions": [
            {
              "status": "affected",
              "version": "4288d53bd35757b27f2d070057aefb2c07bdd097"
            }
          ]
        },
        {
          "product": "production_ssm",
          "vendor": "megagao",
          "versions": [
            {
              "status": "affected",
              "version": "4288d53bd35757b27f2d070057aefb2c07bdd097"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Jszdk (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw has been found in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. The impacted element is the function deleteFile of the file FileServiceImpl.java. This manipulation causes path traversal. The attack can be initiated remotely. The exploit has been published and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. This product is distributed under two entirely different names. The project was informed of the problem early through an issue report but has not responded yet."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5.5,
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-21T06:02:09.608Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-347102 | feng_ha_ha/megagao ssm-erp/production_ssm FileServiceImpl.java deleteFile path traversal",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.347102"
        },
        {
          "name": "VDB-347102 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.347102"
        },
        {
          "name": "Submit #754530 | https://github.com/megagao/production_ssm production_ssm v1.0 Arbitrary file deletion",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.754530"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/megagao/production_ssm/issues/37"
        },
        {
          "tags": [
            "exploit",
            "issue-tracking"
          ],
          "url": "https://github.com/megagao/production_ssm/issues/37#issue-3914979380"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-20T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-02-20T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-02-20T15:22:54.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "feng_ha_ha/megagao ssm-erp/production_ssm FileServiceImpl.java deleteFile path traversal"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-2863",
    "datePublished": "2026-02-21T06:02:09.608Z",
    "dateReserved": "2026-02-20T14:17:44.232Z",
    "dateUpdated": "2026-02-23T19:25:45.383Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-2863",
      "date": "2026-05-21",
      "epss": "0.00087",
      "percentile": "0.24793"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-2863\",\"sourceIdentifier\":\"cna@vuldb.com\",\"published\":\"2026-02-21T06:17:02.177\",\"lastModified\":\"2026-04-29T01:00:01.613\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw has been found in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. The impacted element is the function deleteFile of the file FileServiceImpl.java. This manipulation causes path traversal. The attack can be initiated remotely. The exploit has been published and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. This product is distributed under two entirely different names. The project was informed of the problem early through an issue report but has not responded yet.\"},{\"lang\":\"es\",\"value\":\"Se ha encontrado una vulnerabilidad en feng_ha_ha/megagao ssm-erp y production_ssm hasta 4288d53bd35757b27f2d070057aefb2c07bdd097 que afecta a la funci\u00f3n deleteFile del archivo FileServiceImpl.java. Su manipulaci\u00f3n provoca un salto de ruta. El ataque puede iniciarse de forma remota. El exploit ha sido publicado y puede ser utilizado. En este producto se realizan entregas continuas con lanzamientos progresivos, por lo tanto, no hay detalles de versi\u00f3n de las versiones afectadas ni actualizadas. Este producto se distribuye bajo dos nombres completamente diferentes. Antes de la divulgar esta vulnerabilidad se contact\u00f3 con el proyecto a trav\u00e9s de un informe de incidencias, pero a\u00fan no ha respondido.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":2.1,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}],\"cvssMetricV2\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:N/I:P/A:P\",\"baseScore\":5.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"references\":[{\"url\":\"https://github.com/megagao/production_ssm/issues/37\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://github.com/megagao/production_ssm/issues/37#issue-3914979380\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?ctiid.347102\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?id.347102\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?submit.754530\",\"source\":\"cna@vuldb.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-2863\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-23T19:25:17.991810Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-23T19:25:36.098Z\"}}], \"cna\": {\"title\": \"feng_ha_ha/megagao ssm-erp/production_ssm FileServiceImpl.java deleteFile path traversal\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Jszdk (VulDB User)\"}], \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P\"}}, {\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R\"}}, {\"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R\"}}, {\"cvssV2_0\": {\"version\": \"2.0\", \"baseScore\": 5.5, \"vectorString\": \"AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR\"}}], \"affected\": [{\"vendor\": \"feng_ha_ha\", \"product\": \"ssm-erp\", \"versions\": [{\"status\": \"affected\", \"version\": \"4288d53bd35757b27f2d070057aefb2c07bdd097\"}]}, {\"vendor\": \"feng_ha_ha\", \"product\": \"production_ssm\", \"versions\": [{\"status\": \"affected\", \"version\": \"4288d53bd35757b27f2d070057aefb2c07bdd097\"}]}, {\"vendor\": \"megagao\", \"product\": \"ssm-erp\", \"versions\": [{\"status\": \"affected\", \"version\": \"4288d53bd35757b27f2d070057aefb2c07bdd097\"}]}, {\"vendor\": \"megagao\", \"product\": \"production_ssm\", \"versions\": [{\"status\": \"affected\", \"version\": \"4288d53bd35757b27f2d070057aefb2c07bdd097\"}]}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-02-20T00:00:00.000Z\", \"value\": \"Advisory disclosed\"}, {\"lang\": \"en\", \"time\": \"2026-02-20T01:00:00.000Z\", \"value\": \"VulDB entry created\"}, {\"lang\": \"en\", \"time\": \"2026-02-20T15:22:54.000Z\", \"value\": \"VulDB entry last update\"}], \"references\": [{\"url\": \"https://vuldb.com/?id.347102\", \"name\": \"VDB-347102 | feng_ha_ha/megagao ssm-erp/production_ssm FileServiceImpl.java deleteFile path traversal\", \"tags\": [\"vdb-entry\", \"technical-description\"]}, {\"url\": \"https://vuldb.com/?ctiid.347102\", \"name\": \"VDB-347102 | CTI Indicators (IOB, IOC, TTP, IOA)\", \"tags\": [\"signature\", \"permissions-required\"]}, {\"url\": \"https://vuldb.com/?submit.754530\", \"name\": \"Submit #754530 | https://github.com/megagao/production_ssm production_ssm v1.0 Arbitrary file deletion\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://github.com/megagao/production_ssm/issues/37\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://github.com/megagao/production_ssm/issues/37#issue-3914979380\", \"tags\": [\"exploit\", \"issue-tracking\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A flaw has been found in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. The impacted element is the function deleteFile of the file FileServiceImpl.java. This manipulation causes path traversal. The attack can be initiated remotely. The exploit has been published and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. This product is distributed under two entirely different names. The project was informed of the problem early through an issue report but has not responded yet.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"Path Traversal\"}]}], \"providerMetadata\": {\"orgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"shortName\": \"VulDB\", \"dateUpdated\": \"2026-02-21T06:02:09.608Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-2863\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-23T19:25:45.383Z\", \"dateReserved\": \"2026-02-20T14:17:44.232Z\", \"assignerOrgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"datePublished\": \"2026-02-21T06:02:09.608Z\", \"assignerShortName\": \"VulDB\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.