top of page
perceptive_background_267k.jpg

SSCMS v7.4.0 contains a SQL injection vulnerability in the stl:sqlContent tag where the queryString attribute is passed directly to database execution without p…

Published:

29 april 2026 om 22:00:00

Alert date:

30 april 2026 om 22:00:48

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Database & Storage

SSCMS v7.4.0 contains a critical SQL injection vulnerability in the stl:sqlContent tag where the queryString attribute is passed directly to database execution without proper sanitization. Attackers can exploit this flaw by crafting encrypted payloads and submitting them to the /api/stl/actions/dynamic endpoint. The vulnerability allows execution of arbitrary SQL statements, potentially leading to unauthorized database access, data disclosure, authentication bypass, data modification, or complete database compromise. The lack of parameterization makes this a high-severity security issue that could result in total system compromise.

Technical details

Mitigation steps:

Affected products:

SSCMS

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-7435
https://github.com/siteserver/cms
https://github.com/siteserver/cms/issues/3891
https://www.vulncheck.com/advisories/sscms-sql-injection-via-stl-sqlcontent-querystring

Related CVE's:

Related threat actors:

IOC's:

/api/stl/actions/dynamic

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page