CVE-2026-4222 is a path traversal vulnerability identified in SSCMS, a content management system, affecting versions 7.0 through 7.4.0. The flaw resides in the PathUtils.RemoveParentPath function, which is invoked by the /api/admin/plugins/install/actions/download API endpoint. This function is intended to sanitize file paths by removing parent directory references (e.g., '..'), but due to improper validation, it can be manipulated to allow directory traversal attacks. An attacker with high privileges can remotely exploit this vulnerability by crafting a malicious path argument, enabling them to access files outside the intended directory scope. This can lead to unauthorized disclosure of sensitive files or modification of system files, compromising confidentiality and integrity. The vulnerability does not require user interaction but does require the attacker to have elevated privileges, limiting the attack surface. The vendor was notified early but has not issued a patch or response, and no known public exploits have been observed yet. The CVSS 4.0 score is 5.1, reflecting medium severity due to the requirement for high privileges and limited impact on availability.

The primary impact of CVE-2026-4222 is unauthorized access to files outside the intended directory structure, potentially exposing sensitive configuration files, credentials, or other critical data. This can lead to information disclosure, aiding further attacks such as privilege escalation or lateral movement within the network. Integrity could also be compromised if attackers modify files, potentially injecting malicious code or disrupting system functionality. Availability impact is limited as the vulnerability does not directly enable denial of service. Since exploitation requires high privileges, the threat is more significant in environments where attackers have already gained some level of administrative access or where privilege boundaries are weak. Organizations relying on SSCMS for content management and plugin installation are at risk of data breaches and system compromise if this vulnerability is exploited.

1. Upgrade SSCMS to a version beyond 7.4.0 once a patch is released by the vendor. In the absence of an official patch, consider applying community or third-party patches if available and verified. 2. Restrict access to the /api/admin/plugins/install/actions/download endpoint to trusted administrators only, using network segmentation, firewall rules, or VPN access controls. 3. Implement strict input validation and sanitization on the path parameter at the application or web server level to prevent directory traversal sequences such as '../'. 4. Employ file system permissions to limit the SSCMS process's access strictly to necessary directories, minimizing the impact of traversal attempts. 5. Monitor logs for suspicious access patterns or attempts to exploit path traversal, focusing on the affected API endpoint. 6. Conduct regular security audits and penetration tests to detect similar vulnerabilities and verify the effectiveness of mitigations. 7. Educate administrators on the risks of privilege escalation and enforce the principle of least privilege to reduce the likelihood of high-privilege attacker presence.