CVE-2026-3325

Vulnerability Description

SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the “id_territorio” parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries.

Related Weaknesses (CWE)

References

• https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-megacms-crm-sis

FAQ

What is CVE-2026-3325?

CVE-2026-3325 is a documented vulnerability. SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. The vulnerability arises from inadequate validation and ...

How severe is CVE-2026-3325?

CVSS scoring is not yet available for CVE-2026-3325. Check NVD for updates.

Is there a patch for CVE-2026-3325?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.