SQL Injection Vulnerability in SSCMS by SiteServer
CVE-2026-7435

8.6HIGH

Key Information:

Vendor: Siteserver
Status: Sscms
Vendor: CVE Published:; 30 April 2026

What is CVE-2026-7435?

SSCMS v7.4.0 is susceptible to a SQL injection flaw within the stl:sqlContent tag. This vulnerability stems from the queryString attribute being executed directly against the database without proper parameterization or sanitization. Malicious actors can exploit this by devising specially crafted encrypted payloads sent to the /api/stl/actions/dynamic endpoint, which may result in executing arbitrary SQL commands. Consequently, this can lead to unauthorized database access, potential data breaches, authentication bypass, unauthorized data alterations, or even full database compromise.

Affected Version(s)

SSCMS 7.4.0

References

https://github.com/siteserver/cms/issues/3891

issue-tracking

https://github.com/siteserver/cms

product

https://www.vulncheck.com/advisories/sscms-sql-injection-...

third-party-advisory

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 30, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

hss94531 (https://github.com/hss94531)

Beatriz Fresno Naumova

CVE-2026-7435 Data

JSON

Siteserver

What is CVE-2026-7435?

Affected Version(s)

References

CVSS V4

Timeline

Credit