CVE-2026-29909

Name of the Vulnerable Software and Affected Versions MRCMS version 3.1.2

Description The software contains an unauthenticated directory enumeration issue within the file management module. The /admin/file/list.do API endpoint does not have authentication checks or proper input validation, which allows remote attackers to list directory contents on the server without needing to log in. The vulnerable parameter is not specified.

Recommendations Apply updates to address the issue in MRCMS version 3.1.2. As a temporary workaround, restrict access to the /admin/file/list.do API endpoint.