Description
ChestnutCMS v1.5.10 has a SQL injection vulnerability. The content parameter of the cms_content tag can be manipulated in the admin backend and injected into a SQL query when the template is rendered.
Published: 2026-05-07
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored SQL injection flaw exists in the cms_content tag of ChestnutCMS version 1.5.10. By manipulating the content parameter through the admin backend, an attacker can inject arbitrary SQL into the query executed when the template renders. This can lead to unauthorized data disclosure, modification, or deletion within the CMS database. The weakness is a classic unvalidated input leading to injection, identified as CWE-89.

Affected Systems

The vulnerability affects installations of ChestnutCMS version 1.5.10. Administrators who can edit the cms_content tag in the back‑end are potentially able to exploit the flaw.

Risk and Exploitability

The EPSS score is not available and the defect is not listed in the CISA KEV catalog, so the documented exploitation likelihood is unknown. However, the risk remains significant because the flaw allows direct manipulation of database queries. The attack likely requires access to the admin backend, so any compromised credentials or weak permission settings increase the chance of exploitation.

Generated by OpenCVE AI on May 7, 2026 at 15:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the official vendor website or repository for any updates or official patches that address this issue.
  • Restrict or disable the cms_content tag functionality for non‑trusted users in the admin area to limit exposure.
  • Implement additional input validation or use prepared statements for database queries involving the cms_content parameter to prevent injection.

Generated by OpenCVE AI on May 7, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Liweiyi
Liweiyi chestnutcms
Vendors & Products Liweiyi
Liweiyi chestnutcms

Thu, 07 May 2026 16:00:00 +0000

Type Values Removed Values Added
Title ChestnutCMS v1.5.10 SQL Injection via cms_content tag
Weaknesses CWE-89

Thu, 07 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description ChestnutCMS v1.5.10 has a SQL injection vulnerability. The content parameter of the cms_content tag can be manipulated in the admin backend and injected into a SQL query when the template is rendered.
References

Subscriptions

Liweiyi Chestnutcms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-07T13:59:05.880Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36458

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-07T15:16:05.523

Modified: 2026-05-07T15:53:01.027

Link: CVE-2026-36458

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T16:30:15Z

Weaknesses