Back to CVE List

CVE-2026-12257

Vulnerability Description

Versions of Mura CMS prior to 10.0.712 contain a critical remote code execution (RCE) vulnerability. The flaw is located in the endpoint “/index.cfm/_api/json/v1/default”, where the “method” parameter in POST requests is not properly validated or sanitised before being processed by the ColdFusion engine. As a result, a remote attacker could exploit this vulnerability to inject and execute arbitrary CFML (ColdFusion Markup Language) expressions and instantiate malicious Java objects, thereby compromising the system’s security.

Vulnerability Details

Published Date
Last Modified
CWE ID
CWE-94
Source
NVD
Vendor
Mura Software
Product
CMS

External References

Discussion (0)

Add Comment

No comments yet. Be the first!