CVE-2026-3786

Name of the Vulnerable Software and Affected Versions EasyCMS versions prior to 1.7

Description A security flaw exists in EasyCMS that allows for remote SQL injection. The issue is located within the Request Parameter Handler component, specifically in the file /RbacuserAction.class.php. Manipulation of the order argument can lead to successful exploitation. The exploit has been publicly released.

Recommendations Update to version 1.7 or later. As a temporary workaround, restrict access to the /RbacuserAction.class.php file. Avoid using the order parameter in requests to the affected component.