Path Traversal Vulnerability in Megagao ERP Solution by Feng Ha Ha
CVE-2026-2864
Key Information:
- Vendor
Feng Ha Ha
- Status
- Vendor
- CVE Published:
- 21 February 2026
Badges
What is CVE-2026-2864?
A path traversal vulnerability has been identified in the Megagao ERP and Production SSM solutions, specifically within the pictureDelete function of the PictureController.java file. This vulnerability can be exploited remotely through manipulation of the picName argument, allowing unauthorized access to file system resources outside of the intended directories. The vulnerability affects all versions prior to the commit '4288d53bd35757b27f2d070057aefb2c07bdd097'. Despite early notification regarding this issue, the vendor has not yet provided a response, putting users at potential risk.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
production_ssm 4288d53bd35757b27f2d070057aefb2c07bdd097
production_ssm 4288d53bd35757b27f2d070057aefb2c07bdd097
ssm-erp 4288d53bd35757b27f2d070057aefb2c07bdd097
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved