CVE-2026-1062

Name of the Vulnerable Software and Affected Versions xiweicheng TMS versions up to 2.28.0

Description A flaw exists in xiweicheng TMS that allows for server-side request forgery. The issue is related to the Summary function within the src/main/java/com/lhjz/portal/util/HtmlUtil.java file. Manipulation of the url argument can trigger the flaw, potentially allowing for remote attacks. The exploit for this issue has been published.

Recommendations Versions prior to 2.28.0 should be used. As a temporary workaround, consider restricting or disabling the use of the Summary function until a patch is available.