HarborGuard / CVE
Back to search
HIGHCVE-2026-7435Published Modified CNA VulnCheck

CVE-2026-7435: SSCMS v7.4.0 SQL Injection via stl:sqlContent queryString

SSCMS v7.4.0 contains a SQL injection vulnerability in the stl:sqlContent tag where the queryString attribute is passed directly to database execution without parameterization or sanitization. Attackers can craft encrypted payloads submitted to the /api/stl/actions/dynamic endpoint to execute arbitrary SQL statements, leading to unauthorized database access, data disclosure, authentication bypass, data modification, or complete database compromise.

Metrics

CVSS v4.0
8.6
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • siteserver / SSCMS
    7.4.0
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References