Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
CMS ALAYA provided by KANATA Limited contains an SQL injection vulnerability. Information stored in the database may be obtained or altered by an attacker with access to the administrative interface.
AnalysisAI
SQL injection in CMS ALAYA 7.4.1.4 and earlier allows authenticated administrators to obtain or modify database information through the administrative interface. The vulnerability requires high-privilege access (PR:H) and carries low confidentiality, integrity, and availability impact per CVSS 4.0 scoring. No public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
CMS ALAYA is a content management system provided by KANATA Limited. The SQL injection vulnerability (CWE-89) exists within the administrative interface, meaning the underlying database query construction fails to properly sanitize or parameterize user-supplied input from privileged users. SQL injection allows attackers to craft malicious SQL statements that modify the query logic, potentially reading, modifying, or deleting database records depending on database permissions and backend architecture. The vulnerability is accessible over the network (AV:N) with low attack complexity (AC:L), but is restricted to high-privilege users (PR:H).
RemediationAI
Upgrade CMS ALAYA to a version later than 7.4.1.4 as soon as a patched release becomes available from KANATA Limited. Consult the official JPCERT vulnerability report at https://jvn.jp/en/jp/JVN08026319/ for confirmed patch availability and release notes. Until patching is possible, implement strict administrative access controls: restrict administrative interface access to specific IP ranges or VPNs, enforce multi-factor authentication for all administrative accounts, audit and rotate administrator credentials regularly, and monitor administrative interface logs for anomalous SQL patterns or data access. These controls reduce the likelihood of unauthorized admin access but do not eliminate the vulnerability itself; patching remains the definitive remediation.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25184
GHSA-g347-f6xx-g55w