Skip to main content

CMS ALAYA EUVDEUVD-2026-25184

| CVE-2026-40529 MEDIUM
SQL Injection (CWE-89)
2026-04-23 jpcert GHSA-g347-f6xx-g55w
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 07:02 vuln.today
CVSS changed
Apr 23, 2026 - 05:37 NVD
4.7 (MEDIUM) 5.1 (MEDIUM)
EUVD ID Assigned
Apr 23, 2026 - 05:00 euvd
EUVD-2026-25184
Analysis Generated
Apr 23, 2026 - 05:00 vuln.today
CVE Published
Apr 23, 2026 - 04:15 nvd
MEDIUM 5.1

DescriptionCVE.org

CMS ALAYA provided by KANATA Limited contains an SQL injection vulnerability. Information stored in the database may be obtained or altered by an attacker with access to the administrative interface.

AnalysisAI

SQL injection in CMS ALAYA 7.4.1.4 and earlier allows authenticated administrators to obtain or modify database information through the administrative interface. The vulnerability requires high-privilege access (PR:H) and carries low confidentiality, integrity, and availability impact per CVSS 4.0 scoring. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

CMS ALAYA is a content management system provided by KANATA Limited. The SQL injection vulnerability (CWE-89) exists within the administrative interface, meaning the underlying database query construction fails to properly sanitize or parameterize user-supplied input from privileged users. SQL injection allows attackers to craft malicious SQL statements that modify the query logic, potentially reading, modifying, or deleting database records depending on database permissions and backend architecture. The vulnerability is accessible over the network (AV:N) with low attack complexity (AC:L), but is restricted to high-privilege users (PR:H).

RemediationAI

Upgrade CMS ALAYA to a version later than 7.4.1.4 as soon as a patched release becomes available from KANATA Limited. Consult the official JPCERT vulnerability report at https://jvn.jp/en/jp/JVN08026319/ for confirmed patch availability and release notes. Until patching is possible, implement strict administrative access controls: restrict administrative interface access to specific IP ranges or VPNs, enforce multi-factor authentication for all administrative accounts, audit and rotate administrator credentials regularly, and monitor administrative interface logs for anomalous SQL patterns or data access. These controls reduce the likelihood of unauthorized admin access but do not eliminate the vulnerability itself; patching remains the definitive remediation.

Share

EUVD-2026-25184 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy