CVE 8.6 HIGH

SSCMS v7.4.0 SQL Injection via stl:sqlContent queryString_CVE-2026-7435

April 30, 2026 invoker category_cve

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

SSCMS v7.4.0 contains a SQL injection vulnerability in the stl:sqlContent tag where the queryString attribute is passed directly to database execution without parameterization or sanitization. Attackers can craft encrypted payloads submitted to the /api/stl/actions/dynamic endpoint to execute arbitrary SQL statements, leading to unauthorized database access, data disclosure, authentication bypass, data modification, or complete database compromise.

AI Analysis

SQL injection vulnerability in SSCMS v7.4.0 via stl:sqlContent queryString

Basic Information

ID CVE-2026-7435

Source VulnCheck

Published Apr 30, 2026 at 20:09

Affected Product

Vendor siteserver

Product SSCMS

Version 7.4.0

Affected Versions siteserver SSCMS 7.4.0

CWE Classification

CWE-89

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor siteserver

Product SSCMS

Version 7.4.0

References

{
    "lastseen": "",
    "description": "SSCMS v7.4.0 contains a SQL injection vulnerability in the stl:sqlContent tag where the queryString attribute is passed directly to database execution without parameterization or sanitization. Attackers can craft encrypted payloads submitted to the /api/stl/actions/dynamic endpoint to execute arbitrary SQL statements, leading to unauthorized database access, data disclosure, authentication bypass, data modification, or complete database compromise.",
    "published": "2026-04-30T20:09:17.935Z",
    "modified": "2026-04-30T20:09:17.935Z",
    "type": "cve",
    "title": "SSCMS v7.4.0 SQL Injection via stl:sqlContent queryString",
    "source": "VulnCheck",
    "references": "https://github.com/siteserver/cms/issues/3891\nhttps://github.com/siteserver/cms\nhttps://www.vulncheck.com/advisories/sscms-sql-injection-via-stl-sqlcontent-querystring",
    "id": "CVE-2026-7435",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "siteserver SSCMS 7.4.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "SSCMS",
    "version": "7.4.0",
    "vendor": "siteserver",
    "ai_description": "SQL injection vulnerability in SSCMS v7.4.0 via stl:sqlContent queryString",
    "ai_severity": "High",
    "ai_vendor": "siteserver",
    "ai_product": "SSCMS",
    "ai_version": "7.4.0",
    "ai_score": 8.6
}

💭 Join the Security Discussion ❌ Cancel Reply