Remote Code Execution Vulnerability in Mura CMS by Mura Software
CVE-2026-12257

5.1MEDIUM

Key Information:

Status
Vendor
CVE Published:
13 July 2026

What is CVE-2026-12257?

Mura CMS versions prior to 10.0.712 are susceptible to a remote code execution vulnerability due to improper validation of the 'method' parameter in POST requests within the endpoint '/index.cfm/_api/json/v1/default'. This flaw allows attackers to inject and execute arbitrary ColdFusion Markup Language (CFML) expressions and instantiate malicious Java objects, potentially compromising the integrity and security of the affected systems.

Affected Version(s)

CMS 10.0.712

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Miguel Segovia Gil
.