CVE-2026-3325
published 2026-04-29CVE-2026-3325: SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. The…
PriorityP265critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSALEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.27%
18.3th percentile
SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the “id_territorio” parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| crm_sistemas_de_fidelizaci_n | megacms | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
CRM Sistemas de Fidelización MegaCMS 12.0.0 POST Request get_provincias id_territorio sql injection (EUVD-2026-26199)
vuldb·2026-04-29·CVSS 10.0
CVE-2026-3325 [CRITICAL] CRM Sistemas de Fidelización MegaCMS 12.0.0 POST Request get_provincias id_territorio sql injection (EUVD-2026-26199)
A vulnerability has been found in CRM Sistemas de Fidelización MegaCMS 12.0.0 and classified as critical. This issue affects some unknown processing of the file /web_comunications/cms/get_provincias of the component POST Request Handler. Performing a manipulation of the argument id_territorio results in sql injection.
This vulnerability is identified as CVE-2026-3325. The attack can be initiated remotely. There is not any exploit available.
GHSA
GHSA-894p-r722-q8j9: SQL injection (SQLi) in MegaCMS v12
ghsa_unreviewed·2026-04-29
CVE-2026-3325 [CRITICAL] CWE-89 GHSA-894p-r722-q8j9: SQL injection (SQLi) in MegaCMS v12
SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the “id_territorio” parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-29
Published