Description
SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the “id_territorio” parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries.
Published: 2026-04-29
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection in MegaCMS v12.0.0, affecting the id_territorio parameter of /web_comunications/cms/get_provincias. A POST request containing malicious input can be processed without proper sanitisation, allowing an unauthenticated attacker to run arbitrary SQL commands against the database. This could lead to data exfiltration, modification, or deletion, essentially compromising the confidentiality and integrity of the database. The weakness maps to CWE‑89.

Affected Systems

This flaw impacts MegaCMS provided by CRM Sistemas de Fidelización, specifically version 12.0.0. No other versions are listed as affected, and the vendor’s CNA notes the issue for this release only.

Risk and Exploitability

With a CVSS score of 10, the vulnerability is considered critical. The EPSS value is not available, so the current estimate of exploit likelihood is unknown. The CVE is not included in the CISA KEV catalog. Attackers could exploit the flaw by sending a crafted POST request to the vulnerable endpoint without needing authentication. If successful, they could gain complete control over the underlying database, making this an extremely high‑risk issue for sites still running the affected version.

Generated by OpenCVE AI on April 29, 2026 at 10:20 UTC.

Remediation

Vendor Solution

Update to the latest available version.

OpenCVE Recommended Actions

  • Upgrade MegaCMS to the latest available version that includes the fix
  • If an upgrade cannot be performed immediately, restrict or disable public access to /web_comunications/cms/get_provincias or enforce authentication on that endpoint
  • Ensure the application’s database user has least‑privilege permissions and that all queries are parameterised to prevent injection

Generated by OpenCVE AI on April 29, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the “id_territorio” parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries.
Title SQL injection in MegaCMS by CRM Sistemas de Fidelización
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-04-29T12:06:07.199Z

Reserved: 2026-02-27T13:20:09.388Z

Link: CVE-2026-3325

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-29T09:16:24.130

Modified: 2026-04-29T09:16:24.130

Link: CVE-2026-3325

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:30:08Z

Weaknesses