CVE-2026-12257
Remote code execution in Mura Software’s CMS
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Versions of Mura CMS prior to 10.0.712 contain a critical remote code execution (RCE) vulnerability. The flaw is located in the endpoint “/index.cfm/_api/json/v1/default”, where the “method” parameter in POST requests is not properly validated or sanitised before being processed by the ColdFusion engine. As a result, a remote attacker could exploit this vulnerability to inject and execute arbitrary CFML (ColdFusion Markup Language) expressions and instantiate malicious Java objects, thereby compromising the system’s security.
| CWE | CWE-94 |
| Vendor | mura software |
| Product | cms |
| Published | Jul 13, 2026 |
| Last Updated | Jul 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for mura software cms
Be the first to know when new unknown vulnerabilities affecting mura software cms are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Mura Software / CMS
10.0.712
References
Credits
Miguel Segovia Gil