SQL injection in MegaCMS by CRM Sistemas de Fidelización
MegaCMS in version 12.0.0.
INCIBE has coordinated the publication of a critical severity vulnerability affecting MegaCMS by CRM Sistemas de Fidelización, software for managing reservation systems, ticketing, online sales, etc. The vulnerability was discovered by Miguel Ovejero (Lapsor).
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:
- CVE-2026-3325: CVSS v4.0: 10 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L | CWE-89
Update to the latest available version.
CVE-2026-3325: SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the “id_territorio” parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries.
| Identificador CVE | Severidad | Explotación | Fabricante |
|---|---|---|---|
| CVE-2026-3325 | Crítica | No | CRM Sistemas de Fidelización |
