Skip to main content

Sscms EUVD-2026-12401

| CVE-2026-4234 LOW
SQL Injection (CWE-89)
2026-03-16 VulDB
SQLi Sscms
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
CVSS changed
Apr 22, 2026 - 21:37 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)
PoC Detected
Mar 16, 2026 - 14:53 vuln.today
Public exploit code
EUVD ID Assigned
Mar 16, 2026 - 11:00 euvd
EUVD-2026-12401
Analysis Generated
Mar 16, 2026 - 11:00 vuln.today
CVE Published
Mar 16, 2026 - 10:32 nvd
MEDIUM 6.3

DescriptionCVE.org

A security flaw has been discovered in SSCMS 7.4.0. This vulnerability affects unknown code of the file SitesAddController.Submit.cs of the component DDL Handler. The manipulation of the argument tableHandWrite results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in SSCMS 7.4.0 via the tableHandWrite parameter in SitesAddController.Submit.cs allows authenticated remote attackers to execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment This vulnerability presents elevated real-world risk despite a moderate CVSS v3.1 score of 6.3. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user (which could be a low-privilege content editor or compromised account) submits a crafted HTTP request to the SitesAddController.Submit endpoint with a malicious SQL payload embedded in the tableHandWrite parameter, such as tableHandWrite=myTable'; DROP TABLE users; --. Since the DDL Handler concatenates this unsanitized input directly into a SQL CREATE/ALTER statement without parameterization, the injected DROP TABLE command executes with the database service's privilege level, destroying the users table or exfiltrating sensitive data. …
Remediation Immediate action: Contact the SSCMS vendor directly to obtain a patched version, as vendor responsiveness status is currently unknown despite early disclosure attempts. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-12401 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy