Description
Mura before 10.1.14 allows beanFeed.cfc getQuery sortby SQL injection.
Published: 2026-03-18
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection leads to database compromise
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a classic SQL injection in Mura CMS’s beanFeed.cfc component, specifically in the sortby parameter passed to the getQuery method. This flaw allows an attacker to inject arbitrary SQL statements, potentially reading, altering, or deleting data stored in the system’s database. The weakness is classified as CWE‑89, indicating classic SQL injection.

Affected Systems

Affected systems are installations of Mura CMS running any version prior to 10.1.14. The flaw is present wherever beanFeed.cfc handles sortby values, meaning all users who can submit that parameter are potentially impacted.

Risk and Exploitability

The CVSS score of 9.8 reflects a high severity, indicating that successful exploitation could lead to full control over the database and potentially the application server. The EPSS score of less than 1% suggests that the vulnerability is unlikely to be widely exploited at present, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers would likely target the web interface that accepts the sortby parameter; however, the exact authentication level required is not specified in the description, so it is inferred that an unauthenticated or low‑privileged user could craft the injection.

Generated by OpenCVE AI on March 21, 2026 at 06:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply patch or upgrade to Mura CMS version 10.1.14 or later
  • If upgrade is delayed, restrict access to the beanFeed.cfc endpoint and validate the sortby input to allow only safe values
  • Enable logging and monitor web application logs for attempted SQL injection attempts

Generated by OpenCVE AI on March 21, 2026 at 06:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Title SQL Injection in Mura CMS beanFeed.cfc getQuery sortby Parameter

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:murasoftware:mura_cms:*:*:*:*:*:*:*:*

Thu, 19 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Murasoftware
Murasoftware mura Cms
Vendors & Products Murasoftware
Murasoftware mura Cms

Wed, 18 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description Mura before 10.1.14 allows beanFeed.cfc getQuery sortby SQL injection.
References

Subscriptions

Murasoftware Mura Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-19T14:02:55.740Z

Reserved: 2025-12-12T00:00:00.000Z

Link: CVE-2025-67830

cve-icon Vulnrichment

Updated: 2026-03-19T14:02:51.155Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T17:16:04.593

Modified: 2026-03-21T00:17:17.210

Link: CVE-2025-67830

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:54:07Z

Weaknesses