CVE 10 CRITICAL

SQL injection in MegaCMS by CRM Sistemas de Fidelización_CVE-2026-3325

April 29, 2026 invoker category_cve

10 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L

Description

SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the “id_territorio” parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries.

AI Analysis

SQL injection vulnerability in MegaCMS due to inadequate validation and sanitization of user input, allowing an unauthenticated attacker to execute arbitrary SQL queries.

Basic Information

ID CVE-2026-3325

Source INCIBE

Published Apr 29, 2026 at 08:37

Affected Product

Vendor CRM Sistemas de Fidelización

Product MegaCMS

Version 12.0.0

Affected Versions CRM Sistemas de Fidelización MegaCMS 12.0.0

CWE Classification

CWE-89

AI Assessment

AI Score 10 / 10

AI Severity Critical

Vendor CRM Sistemas de Fidelización

Product MegaCMS

Version 12.0.0

References

www.incibe.es /en/incibe-cert/notices/aviso/sql-injection-megacms-crm-sistemas-de-fidelizacion

{
    "lastseen": "",
    "description": "SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the \u201cid_territorio\u201d parameter of the \u201c/web_comunications/cms/get_provincias\u201d endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the \u201cid_territorio\u201d parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries.",
    "published": "2026-04-29T08:37:32.529Z",
    "modified": "2026-04-29T08:37:32.529Z",
    "type": "cve",
    "title": "SQL injection in MegaCMS by CRM Sistemas de Fidelizaci\u00f3n",
    "source": "INCIBE",
    "references": "https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-megacms-crm-sistemas-de-fidelizacion",
    "id": "CVE-2026-3325",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "CRM Sistemas de Fidelizaci\u00f3n MegaCMS 12.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "MegaCMS",
    "version": "12.0.0",
    "vendor": "CRM Sistemas de Fidelizaci\u00f3n",
    "ai_description": "SQL injection vulnerability in MegaCMS due to inadequate validation and sanitization of user input, allowing an unauthenticated attacker to execute arbitrary SQL queries.",
    "ai_severity": "Critical",
    "ai_vendor": "CRM Sistemas de Fidelizaci\u00f3n",
    "ai_product": "MegaCMS",
    "ai_version": "12.0.0",
    "ai_score": 10
}

💭 Join the Security Discussion ❌ Cancel Reply