🔐 CVE Alert

CVE-2026-12257

UNKNOWN 0.0

Remote code execution in Mura Software’s CMS

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Versions of Mura CMS prior to 10.0.712 contain a critical remote code execution (RCE) vulnerability. The flaw is located in the endpoint “/index.cfm/_api/json/v1/default”, where the “method” parameter in POST requests is not properly validated or sanitised before being processed by the ColdFusion engine. As a result, a remote attacker could exploit this vulnerability to inject and execute arbitrary CFML (ColdFusion Markup Language) expressions and instantiate malicious Java objects, thereby compromising the system’s security.

CWE CWE-94
Vendor mura software
Product cms
Published Jul 13, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for mura software cms

Be the first to know when new unknown vulnerabilities affecting mura software cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Mura Software / CMS
10.0.712

References

NVD ↗ CVE.org ↗ EPSS Data ↗
incibe.es: https://www.incibe.es/en/incibe-cert/notices/aviso/remote-code-execution-mura-softwares-cms

Credits

Miguel Segovia Gil