CVE-2026-7435

Name of the Vulnerable Software and Affected Versions SSCMS version 7.4.0

Description An issue exists in the stl:sqlContent tag where the queryString attribute is passed directly to database execution without parameterization or sanitization. This allows attackers to submit encrypted payloads to the '/api/stl/actions/dynamic' endpoint to execute arbitrary SQL statements. This can lead to unauthorized database access, data disclosure, authentication bypass, data modification, or complete database compromise.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.