Description
Raytha CMS is vulnerable to SQL Injection within the OData filter parsing pipeline.  The vulnerability allows a remote, unauthenticated attacker to execute
arbitrary SQL statements against the underlying PostgreSQL database,
leading to full database compromise, including credential extraction.

Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 1.5.2 but may also affect other versions.
Published: 2026-06-30
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Raytha CMS is vulnerable to SQL injection within the OData filter parsing pipeline, allowing a remote, unauthenticated attacker to execute arbitrary SQL statements against the underlying PostgreSQL database. This can lead to full database compromise, including the extraction of credentials and other sensitive data.

Affected Systems

Raytha CMS, version 1.5.2 is confirmed to be vulnerable, with potential impact on other versions as well. The vendor has not published an official fix and attempts to contact support have been unsuccessful.

Risk and Exploitability

The CVSS score of 9.3 indicates a very high severity vulnerability. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely remote, with an unauthenticated attacker sending crafted OData queries that trigger the vulnerable filter parsing logic, resulting in arbitrary SQL execution on the PostgreSQL backend.

Generated by OpenCVE AI on June 30, 2026 at 10:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an official patch for Raytha CMS when it becomes available
  • If a patch is unavailable, restrict network access to OData endpoints using firewall rules or network segmentation to limit exposure to trusted hosts
  • Implement input validation or refactor the OData filter parsing to use prepared statements, mitigating the injection risk in line with CWE-89 recommendations

Generated by OpenCVE AI on June 30, 2026 at 10:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Raytha
Raytha raytha
Vendors & Products Raytha
Raytha raytha

Tue, 30 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description Raytha CMS is vulnerable to SQL Injection within the OData filter parsing pipeline.  The vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL statements against the underlying PostgreSQL database, leading to full database compromise, including credential extraction. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 1.5.2 but may also affect other versions.
Title SQL Injection in Raytha CMS
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-30T13:15:02.414Z

Reserved: 2026-06-12T10:28:42.003Z

Link: CVE-2026-12076

cve-icon Vulnrichment

Updated: 2026-06-30T13:14:57.683Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T15:00:05Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')