CVE-2026-3325

Deferred Deferred - Pending Action

SQL Injection in MegaCMS v12.0.0 Allows Arbitrary Query Execution

Publication date: 2026-04-29

Last updated on: 2026-05-19

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description

SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the “id_territorio” parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-29

Last Modified

2026-05-19

Generated

2026-06-16

AI Q&A

2026-04-29

EPSS Evaluated

2026-06-15

NVD

CVE-2026-3325

EUVD

EUVD-2026-26199

Affected Vendors & Products

Vendor	Product	Version / Range
crm_sistemas_de_fidelizacion	megacms	12.0.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2026-3325 is a critical SQL injection vulnerability found in MegaCMS version 12.0.0, a software used for managing reservation systems, ticketing, and online sales.

The vulnerability exists specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. This parameter is processed immediately after a registration form is submitted.

Due to inadequate validation and sanitization of user input, an unauthenticated attacker can manipulate the “id_territorio” parameter via a POST request to execute arbitrary SQL queries on the backend database.

Impact Analysis

This vulnerability allows an unauthenticated attacker to execute arbitrary SQL queries on the MegaCMS database.

Potential impacts include unauthorized data access, data modification, data deletion, or even complete compromise of the backend database.
Since the vulnerability is critical with a CVSS score of 10.0, it poses a high risk to the confidentiality, integrity, and availability of the affected system.

Detection Guidance

The vulnerability exists in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint, which is accessed via a POST request immediately after the registration form submission.

To detect this vulnerability on your system or network, you can monitor or test POST requests to this endpoint and specifically check if the “id_territorio” parameter is vulnerable to SQL injection by attempting to inject SQL payloads.

While no specific commands are provided in the resources, typical detection methods include using tools like sqlmap or crafting manual POST requests with SQL injection payloads targeting the “id_territorio” parameter at the “/web_comunications/cms/get_provincias” endpoint.

Mitigation Strategies

The recommended immediate mitigation step is to update MegaCMS to the latest available version where this SQL injection vulnerability has been fixed.

Compliance Impact

The provided information does not specify how the SQL injection vulnerability in MegaCMS v12.0.0 directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-3325 is a critical SQL injection vulnerability found in MegaCMS version 12.0.0, a software used for managing reservation systems, ticketing, and online sales.

The vulnerability exists in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint, which is processed immediately after a registration form is submitted.

Due to inadequate validation and sanitization of this parameter, an unauthenticated attacker can exploit it via a POST request to execute arbitrary SQL queries on the backend database.

Impact Analysis

This vulnerability allows an unauthenticated attacker to execute arbitrary SQL queries on the backend database of MegaCMS.

Potential unauthorized access to sensitive data stored in the database.
Data manipulation or deletion, leading to data integrity issues.
Compromise of the entire system's confidentiality, integrity, and availability.
Disruption of services such as reservation systems, ticketing, and online sales managed by MegaCMS.

Detection Guidance

Detection can involve monitoring POST requests to this endpoint and inspecting the “id_territorio” parameter for suspicious or malformed input that could indicate SQL injection attempts.

Specific commands are not provided in the available resources.

Mitigation Strategies

The recommended immediate mitigation is to update MegaCMS to the latest available version where this SQL injection vulnerability has been fixed.

Hi! I’m here to help you understand CVE-2026-3325. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-3325

SQL Injection in MegaCMS v12.0.0 Allows Arbitrary Query Execution

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart