CVE-2026-2864 is a path traversal vulnerability identified in the ssm-erp software developed by feng_ha_ha (also distributed under the name megagao). The flaw exists in the pictureDelete method within PictureController.java, where the picName parameter is insufficiently sanitized, allowing attackers to manipulate the file path. By crafting malicious input, an attacker can traverse outside the intended directory structure to delete arbitrary files on the server. This vulnerability can be exploited remotely without user interaction but requires low-level privileges (PR:L), indicating the attacker must have some authenticated access or limited privileges on the system. The product does not use versioning, and the vendor has not responded to vulnerability reports, complicating patch management and risk assessment. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (AT:N) but with low privileges (PR:L), no user interaction (UI:N), and limited impact on confidentiality, integrity, and availability (VI:L, VA:L, VC:N). No patches or mitigations have been officially released, and while no active exploits are known in the wild, public disclosure increases the likelihood of exploitation attempts.

The path traversal vulnerability allows attackers to delete arbitrary files on the server hosting the ssm-erp application, potentially leading to denial of service by removing critical files or disrupting business operations. If sensitive files are deleted, it could impact data integrity and availability. Although the vulnerability requires low privileges, an attacker who gains limited access could escalate damage by deleting configuration files, logs, or other important resources. This could also facilitate further attacks or system compromise. Organizations relying on ssm-erp for enterprise resource planning risk operational disruption, data loss, and potential compliance violations if exploited. The lack of vendor response and absence of patches increase exposure duration and risk. The vulnerability's remote exploitability and absence of user interaction requirements make it a significant threat in environments where ssm-erp is deployed.

Organizations should immediately audit access controls to ensure that only trusted users have privileges to invoke the pictureDelete function or similar file operations. Implement strict input validation and sanitization on the picName parameter to prevent directory traversal sequences such as '../'. Employ application-layer firewalls or web application firewalls (WAFs) with rules to detect and block path traversal attempts targeting ssm-erp endpoints. Monitor logs for suspicious deletion requests or unusual file system activity. If possible, isolate the ssm-erp application in a restricted environment with minimal file system permissions, limiting the impact of any file deletion. Regularly back up critical files and configurations to enable recovery in case of deletion. Engage with the vendor or community to track any forthcoming patches or updates. Consider code review or custom patching to fix the input validation flaw if source code access is available. Finally, educate administrators and users about the risks and signs of exploitation.