Megacms · Megacms · CVE-2026-3325
**Name of the Vulnerable Software and Affected Versions**
MegaCMS version 12.0.0
**Description**
Inadequate validation and sanitization of user input allows an unauthenticated attacker to execute arbitrary SQL queries via a POST request. The issue is located in the "/web comunications/cms/get provincias" endpoint through the `id territorio` parameter, which is processed after the registration form is submitted.
**Recommendations**
Update MegaCMS version 12.0.0 to a patched version.
Avoid using the `id territorio` parameter in the "/web comunications/cms/get provincias" endpoint until the issue is resolved.