CVE-2025-41033

Name of the Vulnerable Software and Affected Versions appRain CMF version 4.0.5

Description An SQL injection vulnerability exists that allows an attacker to retrieve, create, update, and delete the database. This is possible through the data%5BPage%5D%5Bname%5D parameter in the /apprain/page/manage-dynamic-pages/create API endpoint.

Recommendations As a temporary workaround, restrict access to the /apprain/page/manage-dynamic-pages/create API endpoint to minimize the risk of exploitation. Sanitize or validate the data%5BPage%5D%5Bname%5D parameter to prevent SQL injection attacks.