Description
A security vulnerability has been detected in SEMCMS 5.0. This vulnerability affects unknown code of the file /SEMCMS_Info.php. The manipulation of the argument searchml leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-01-29
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Patch Now
AI Analysis

Impact

SEMCMS version 5.0 contains an input validation flaw in the searchml argument of the SEMCMS_Info.php script. Attackers can supply crafted input that is not properly escaped, allowing arbitrary SQL statements to be injected into the backend database query. This flaw can be triggered remotely through the web interface, allowing an attacker to read, modify, or delete data stored in the database, potentially leading to data exposure or integrity compromise. The CVSS score of 5.3 reflects moderate severity, with the potential to impact confidentiality and integrity of database contents.

Affected Systems

The vulnerability is specific to the SEMCMS content management system, version 5.0, which is the only version identified by the CNA. The affected code resides in the /SEMCMS_Info.php file and is exercised by the searchml parameter. No other vendors or product lines are listed. If any other implementations use the same code base, they may also be impacted.

Risk and Exploitability

The exploit is publicly available on GitHub and other vulnerability databases, and can be achieved over the network by providing a malicious searchml value to the web application. The EPSS score of <1% indicates that the probability of exploitation in the wild is currently low, and the vulnerability is not listed in the CISA KEV catalog. However, since the flaw can be triggered via the exposed web interface, organizations that publicly host the CMS should treat the risk as moderate and consider the existing exploit in their threat model. The lack of an official patch emphasizes the need for immediate mitigation actions.

Generated by OpenCVE AI on April 18, 2026 at 01:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of SEMCMS that debugs the searchml parameter or apply vendor‑provided fix once released.
  • If an update is unavailable, block or remove the searchml parameter from the application URL, effectively disabling the vulnerable functionality.
  • Add input validation or parameter binding to the searchml handling code to ensure that only whitelisted characters are accepted and that any database queries use prepared statements.
  • Deploy a Web Application Firewall rule to detect and block attempts to inject SQL through the searchml parameter.

Generated by OpenCVE AI on April 18, 2026 at 01:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:sem-cms:semcms:5.0:*:*:*:*:*:*:*

Thu, 29 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Sem-cms
Sem-cms semcms
Vendors & Products Sem-cms
Sem-cms semcms

Thu, 29 Jan 2026 00:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in SEMCMS 5.0. This vulnerability affects unknown code of the file /SEMCMS_Info.php. The manipulation of the argument searchml leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title SEMCMS SEMCMS_Info.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sem-cms Semcms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:03:26.616Z

Reserved: 2026-01-28T16:58:29.265Z

Link: CVE-2026-1552

cve-icon Vulnrichment

Updated: 2026-01-29T19:59:01.019Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-29T01:16:09.390

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-1552

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:45:33Z

Weaknesses