Skip to main content

Mura CVE-2025-67830

| EUVDEUVD-2025-208838 CRITICAL
SQL Injection (CWE-89)
2026-03-18 mitre
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 18, 2026 - 17:00 euvd
EUVD-2025-208838
Analysis Generated
Mar 18, 2026 - 17:00 vuln.today
CVE Published
Mar 18, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

Mura before 10.1.14 allows beanFeed.cfc getQuery sortby SQL injection.

AnalysisAI

A SQL injection vulnerability exists in the beanFeed.cfc component of Mura CMS before version 10.1.14, specifically in the getQuery function's sortby parameter. An attacker can inject arbitrary SQL commands through the sortby parameter to extract, modify, or delete database contents. The vulnerability affects Mura CMS installations running versions prior to 10.1.14.

Technical ContextAI

Mura CMS is a content management system built on ColdFusion/CFML that provides content management and publishing capabilities. The beanFeed.cfc component is a ColdFusion component responsible for handling feed-related database queries. The getQuery function constructs SQL queries using user-supplied input from the sortby parameter without proper sanitization or parameterized query preparation. This violates secure coding practices for ColdFusion/CFML applications, where parameterized queries (cfqueryparam) or input validation should be mandatory for dynamic SQL construction. The root cause is improper input validation and lack of query parameterization in the sortby sorting mechanism.

RemediationAI

Immediately upgrade Mura CMS to version 10.1.14 or later to receive the patch that addresses the SQL injection flaw in beanFeed.cfc. Consult the official Mura release notes at https://docs.murasoftware.com/v10/release-notes/#section-version-1014 for upgrade instructions and any breaking changes. As interim mitigation before patching is possible, restrict network access to the Mura CMS application using a web application firewall (WAF) with SQL injection detection rules, implement input validation on the sortby parameter at the application or reverse proxy level, and disable or restrict access to beanFeed.cfc endpoints if they are not required for production use. Review database user permissions to ensure the ColdFusion application account has minimal necessary privileges to limit the blast radius of successful injection.

Share

CVE-2025-67830 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy