PT-2026-35884 · Megacms · Megacms

Miguel Ovejero

Published

2026-04-29

Updated

2026-04-30

CVE-2026-3325

CVSS v4.0

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L

Name of the Vulnerable Software and Affected Versions MegaCMS version 12.0.0

Description Inadequate validation and sanitization of user input allows an unauthenticated attacker to execute arbitrary SQL queries via a POST request. The issue is located in the "/web comunications/cms/get provincias" endpoint through the id territorio parameter, which is processed after the registration form is submitted.

Recommendations Update MegaCMS version 12.0.0 to a patched version. Avoid using the id territorio parameter in the "/web comunications/cms/get provincias" endpoint until the issue is resolved.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2026-3325

Affected Products

Megacms

PT-2026-35884 · Megacms · Megacms

CVE-2026-3325

Weakness Enumeration

Related Identifiers

Affected Products

References · 5