CVE-2026-3325

UNKNOWN 0.0

SQL injection in MegaCMS by CRM Sistemas de Fidelización

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the “id_territorio” parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries.

CWE	CWE-89
Vendor	crm sistemas de fidelización
Product	megacms
Published	Apr 29, 2026

Stay Ahead of the Next One

Get instant alerts for crm sistemas de fidelización megacms

Be the first to know when new unknown vulnerabilities affecting crm sistemas de fidelización megacms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

CRM Sistemas de Fidelización / MegaCMS

12.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

incibe.es: https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-megacms-crm-sistemas-de-fidelizacion

Credits

Miguel Ovejero (Lapsor)