PT-2026-35884 · Crm Sistemas De Fidelización · Megacms
Miguel Ovejero
·
Published
2026-04-29
·
Updated
2026-04-29
·
CVE-2026-3325
CVSS v4.0
10
Critical
| AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L |
SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id territorio” parameter of the “/web comunications/cms/get provincias” endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the “id territorio” parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Megacms