CVE-2026-2954 is an injection vulnerability identified in Dromara UJCMS version 10.0.2, affecting the importChanel function within the ImportDataController component, specifically the /api/backend/ext/import-data/import-channel endpoint. The vulnerability stems from insufficient sanitization or validation of the driverClassName and url parameters, which can be manipulated by remote attackers to inject malicious payloads. This injection flaw can be exploited remotely without requiring authentication or user interaction, increasing its risk profile. The injection could allow attackers to execute arbitrary code or commands, manipulate data, or disrupt application functionality, impacting confidentiality, integrity, and availability. The CVSS 4.0 score of 5.3 reflects a medium severity, considering the ease of remote exploitation but limited scope and impact. The vendor was notified early but has not issued a patch or response, and while a public exploit exists, no confirmed active exploitation has been observed. The lack of vendor response and patch availability increases the urgency for organizations to implement compensating controls. The vulnerability highlights the importance of secure coding practices, especially input validation and sanitization in web application endpoints handling external data imports.

The injection vulnerability in UJCMS 10.0.2 can lead to unauthorized code execution or data manipulation, potentially compromising the confidentiality, integrity, and availability of affected systems. Attackers exploiting this flaw could alter import data processes, inject malicious payloads, or disrupt CMS operations, leading to data breaches, defacement, or service outages. Since the attack vector is remote and does not require authentication or user interaction, the risk of widespread exploitation is significant if the system is exposed to untrusted networks. Organizations relying on UJCMS for content management or web services may face operational disruptions and reputational damage. The absence of an official patch and vendor response further exacerbates the risk, as organizations must rely on interim mitigations. The impact is particularly critical for entities managing sensitive or high-value content, as injection attacks can facilitate lateral movement or persistent access within networks.

1. Implement strict input validation and sanitization on the driverClassName and url parameters in the importChanel function to prevent injection payloads. 2. Restrict access to the /api/backend/ext/import-data/import-channel endpoint using network-level controls such as firewalls, VPNs, or IP whitelisting to limit exposure to trusted sources only. 3. Monitor application logs and network traffic for unusual or suspicious activity related to import data operations, focusing on unexpected parameter values or error patterns. 4. Employ Web Application Firewalls (WAF) with custom rules to detect and block injection attempts targeting the vulnerable endpoint. 5. If possible, disable or restrict the import data functionality temporarily until a vendor patch or official fix is released. 6. Conduct regular security assessments and code reviews to identify and remediate similar injection risks in other parts of the application. 7. Maintain an incident response plan to quickly address any suspected exploitation attempts. 8. Engage with the vendor or community to track updates or unofficial patches addressing this vulnerability.