anonhaven
Ad

CVE-2026-29909

MEDIUM CVSS 3.1: 5.3 EPSS 0.02%
Updated Apr 02, 2026
Mrcms
Parameter Value
CVSS 5.3 (MEDIUM)
Type CWE-20 (Improper Input Validation), CWE-425 (Direct Request / Forced Browsing)
Vendor Mrcms
Public PoC No

MRCMS V3.1.2 contains an unauthenticated directory enumeration vulnerability in the file management module. The /admin/file/list.do endpoint lacks authentication controls and proper input validation, allowing remote attackers to enumerate directory contents on the server without any credentials.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
None
No data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-20 Improper Input Validation
CWE-425 Direct Request / Forced Browsing

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Mrcms Mrcms
cpe:2.3:a:mrcms:mrcms:3.1.2:*:*:*:*:*:*:*

References 2

https://github.com/qflksheep/CVE-2026-29909-MRCMS-vulnerability/blob/main/READM…
cve@mitre.org
https://github.com/wuweiit/mushroom
cve@mitre.org
Share Post Share Share Share

Related Vulnerabilities

CVE-2025-2196

Mrcms

5.1

CVE-2025-2195

Mrcms

5.1

CVE-2025-2194

Mrcms

5.1

CVE-2025-2193

Mrcms

5.3

CVE-2025-25768

Mrcms

5.4