SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the “id_territorio” parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries.
PUBLISHED5.2CWE-89
SQL injection in MegaCMS by CRM Sistemas de Fidelización
Problem type
Affected products
CRM Sistemas de Fidelización
MegaCMS
12.0.0 - AFFECTED
References
GitHub Security Advisories
GHSA-894p-r722-q8j9
SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “...
https://github.com/advisories/GHSA-894p-r722-q8j9SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the “id_territorio” parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-3325Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-3325",
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"dateUpdated": "2026-04-29T08:37:32.529Z",
"dateReserved": "2026-02-27T13:20:09.388Z",
"datePublished": "2026-04-29T08:37:32.529Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE",
"dateUpdated": "2026-04-29T08:37:32.529Z"
},
"datePublic": "2026-04-29T08:18:00.000Z",
"title": "SQL injection in MegaCMS by CRM Sistemas de Fidelización",
"descriptions": [
{
"lang": "en",
"value": "SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the “id_territorio” parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the “id_territorio” parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries."
}
]
}
],
"affected": [
{
"vendor": "CRM Sistemas de Fidelización",
"product": "MegaCMS",
"defaultStatus": "unaffected",
"versions": [
{
"version": "12.0.0",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-89 Improper neutralization of special elements used in an SQL command ('SQL injection')",
"cweId": "CWE-89",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-megacms-crm-sistemas-de-fidelizacion",
"tags": [
"patch"
]
}
],
"metrics": [
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"solutions": [
{
"lang": "en",
"value": "Update to the latest available version.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "Update to the latest available version."
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Miguel Ovejero (Lapsor)",
"type": "finder"
}
]
}
}
}