Remote code execution in Mura Software’s CMS

Posted date 13/07/2026
Identificador
INCIBE-2026-481
Importance
5 - Critical
Affected Resources
  • Mura CMS: versions prior to 10.0.712.
Description

INCIBE has coordinated the publication of a medium-severity vulnerability affecting Mura Software’s CMS, a content management system designed to create, manage and publish digital content. The vulnerability was discovered by Miguel Segovia Gil.

This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:

  • CVE-2026-12257: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-94
Solution

No solution has been reported as yet.

Detail

CVE-2026-12257: Versions of Mura CMS prior to 10.0.712 contain a critical remote code execution (RCE) vulnerability. The flaw is located in the endpoint “/index.cfm/_api/json/v1/default”, where the “method” parameter in POST requests is not properly validated or sanitised before being processed by the ColdFusion engine. As a result, a remote attacker could exploit this vulnerability to inject and execute arbitrary CFML (ColdFusion Markup Language) expressions and instantiate malicious Java objects, thereby compromising the system’s security.

CVE
Identificador CVE Severidad Explotación Fabricante
CVE-2026-12257 Crítica No Mura Software
References list
Etiquetas