CVE-2026-3325 - Vulnerability Details

SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the “id_territorio” parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact Low

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Crm Sistemas De Fidelización	Megacms

No data.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-megacms-crm-sistemas-de-fidelizacion

History

Thu, 30 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 30 Apr 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Crm Sistemas De Fidelización Crm Sistemas De Fidelización megacms
Vendors & Products		Crm Sistemas De Fidelización Crm Sistemas De Fidelización megacms

Wed, 29 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the “id_territorio” parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries.
Title		SQL injection in MegaCMS by CRM Sistemas de Fidelización
Weaknesses		CWE-89
References		https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-megacms-crm-sistemas-de-fidelizacion
Metrics		cvssV4_0 `{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L'}`

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2026-04-29T08:37:32.529Z

Updated: 2026-04-29T12:06:07.199Z

Reserved: 2026-02-27T13:20:09.388Z

Link: CVE-2026-3325

Vulnrichment

Updated: 2026-04-29T12:05:56.574Z

NVD

Status : Awaiting Analysis

Published: 2026-04-29T09:16:24.130

Modified: 2026-04-30T15:48:26.580

Link: CVE-2026-3325

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact Low

Exploitation none

Automatable yes

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object