CVE-2026-3325 PUBLISHED

SQL injection in MegaCMS by CRM Sistemas de Fidelización

Assigner: INCIBE
Reserved: 27.02.2026 Published: 29.04.2026 Updated: 29.04.2026

SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the “id_territorio” parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L
CVSS Score: 10

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	Low
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	CRM Sistemas de Fidelización
Product	MegaCMS
Versions	Default: unaffected Version 12.0.0 is affected

Solutions

Update to the latest available version.

Credits

Miguel Ovejero (Lapsor) finder

References

https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-megacms-crm-sistemas-de-fidelizacion

Problem Types

CWE-89 Improper neutralization of special elements used in an SQL command ('SQL injection') CWE