Description
CMS ALAYA provided by KANATA Limited contains an SQL injection vulnerability. Information stored in the database may be obtained or altered by an attacker with access to the administrative interface.
Published: 2026-04-23
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection permitting data disclosure and modification
Action: Patch
AI Analysis

Impact

CMS ALAYA contains a vulnerable SQL interface that an attacker can exploit with administrative interface access to execute arbitrary SQL statements, enabling the extraction or alteration of data stored in the database. The flaw is identified as CWE-89 and directly threatens the confidentiality and integrity of the system’s information.

Affected Systems

The vulnerability applies to KANATA Limited’s CMS ALAYA product. No specific version details are supplied, so any installation of this CMS is potentially impacted until a patch is applied.

Risk and Exploitability

The CVSS score of 5.1 classifies the issue as medium severity, and the EPSS score of less than 1% suggests a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Because it requires authentication to the administrative interface, the attacker must first obtain legitimate admin credentials or access; once authenticated, the SQL injection can compromise the database. Overall, the risk is moderate but mitigable with proper patching and security controls.

Generated by OpenCVE AI on April 28, 2026 at 14:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CMS ALAYA to the latest version that addresses the SQL injection flaw.
  • Restrict administrative interface access to a minimum set of trusted users and enforce strong authentication mechanisms.
  • Refactor backend code to use parameterized queries or prepared statements to eliminate unsanitized SQL input.
  • Deploy a web application firewall (WAF) or input validation layer to detect and block SQL injection payloads.

Generated by OpenCVE AI on April 28, 2026 at 14:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://jvn.jp/en/jp/JVN08026319/ cve-icon cve-icon
History

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Title SQL Injection in CMS ALAYA Enabling Data Alteration

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Kanata
Kanata cms Alaya
Vendors & Products Kanata
Kanata cms Alaya

Thu, 23 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Description CMS ALAYA provided by KANATA Limited contains an SQL injection vulnerability. Information stored in the database may be obtained or altered by an attacker with access to the administrative interface.
Weaknesses CWE-89
References
Metrics cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Kanata Cms Alaya
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-04-23T12:25:36.471Z

Reserved: 2026-04-13T23:51:50.290Z

Link: CVE-2026-40529

cve-icon Vulnrichment

Updated: 2026-04-23T12:25:32.862Z

cve-icon NVD

Status : Deferred

Published: 2026-04-23T05:16:04.583

Modified: 2026-04-23T16:23:59.233

Link: CVE-2026-40529

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:00:14Z

Weaknesses