CVE-2026-2954 identifies an injection vulnerability in Dromara UJCMS version 10.0.2, located in the importChanel function within the /api/backend/ext/import-data/import-channel endpoint of the ImportDataController component. The vulnerability is triggered by manipulation of the driverClassName and url parameters, which are not properly sanitized or validated, enabling injection attacks. This flaw allows remote attackers to execute arbitrary code or commands by crafting malicious input, potentially leading to unauthorized access or data manipulation. The attack vector requires no authentication or user interaction, increasing the risk of exploitation. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting a medium severity level due to limited scope and partial impact on confidentiality, integrity, and availability. Despite public disclosure and availability of exploit code, no active exploitation has been observed. The vendor was notified but has not issued any response or patch, leaving systems exposed. This vulnerability affects only version 10.0.2 of UJCMS, a content management system used primarily in certain regions and sectors. The lack of vendor response and patch availability necessitates immediate defensive measures by users to mitigate risk.

The injection vulnerability in UJCMS 10.0.2 can lead to unauthorized code execution, data manipulation, or system compromise, impacting confidentiality, integrity, and availability of affected systems. Attackers exploiting this flaw could gain control over the CMS backend, potentially leading to data breaches, defacement, or disruption of services. Organizations relying on UJCMS for content management, especially those handling sensitive or critical information, face increased risk of operational disruption and reputational damage. The remote, unauthenticated nature of the attack vector broadens the potential attacker base, including opportunistic threat actors. The absence of vendor patches prolongs exposure, increasing the window for exploitation. However, the medium CVSS score and limited scope suggest that while impactful, the vulnerability is not trivially exploitable at scale without additional conditions. Nonetheless, targeted attacks against high-value organizations using this CMS could have significant consequences.

Given the lack of official patches, organizations should implement immediate compensating controls. These include restricting access to the vulnerable import-channel API endpoint via network segmentation or firewall rules to trusted IPs only. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting driverClassName and url parameters. Conduct thorough input validation and sanitization on all user-supplied data where possible, potentially via custom middleware or reverse proxies. Monitor logs for anomalous activity related to import data functions and unusual parameter values. Consider disabling or restricting the importChanel functionality if not essential. Maintain up-to-date backups to enable recovery in case of compromise. Engage with the vendor or community for updates and patches, and plan for an upgrade once a fixed version is released. Additionally, conduct security awareness training for administrators to recognize signs of exploitation.