CVE-2026-1062

Summary

A flaw has been found in xiweicheng TMS up to 2.28.0. This affects the function Summary of the file src/main/java/com/lhjz/portal/util/HtmlUtil.java. This manipulation of the argument url causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been published and may be used.

Affected Software

VendorProductVersion RangeStatus
xiweichengTMS2.0affected
xiweichengTMS2.1affected
xiweichengTMS2.2affected
xiweichengTMS2.3affected
xiweichengTMS2.4affected
xiweichengTMS2.5affected
xiweichengTMS2.6affected
xiweichengTMS2.7affected
xiweichengTMS2.8affected
xiweichengTMS2.9affected
xiweichengTMS2.10affected
xiweichengTMS2.11affected
xiweichengTMS2.12affected
xiweichengTMS2.13affected
xiweichengTMS2.14affected
xiweichengTMS2.15affected
xiweichengTMS2.16affected
xiweichengTMS2.17affected
xiweichengTMS2.18affected
xiweichengTMS2.19affected
xiweichengTMS2.20affected
xiweichengTMS2.21affected
xiweichengTMS2.22affected
xiweichengTMS2.23affected
xiweichengTMS2.24affected
xiweichengTMS2.25affected
xiweichengTMS2.26affected
xiweichengTMS2.27affected
xiweichengTMS2.28.0affected

Weaknesses

  • CWE-918: Server-Side Request Forgery

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References