CVE-2026-4222

Name of the Vulnerable Software and Affected Versions SSCMS versions through 7.4.0

Description A flaw exists in SSCMS that allows for path traversal. This issue is related to the manipulation of the path argument within the PathUtils.RemoveParentPath function located in the file /api/admin/plugins/install/actions/download. Successful exploitation could allow for remote attacks. The exploit for this issue has been publicly disclosed. The vendor was informed of this disclosure but did not provide a response.

Recommendations Versions prior to 7.4.1 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.