Critical RCE Vulnerability Discovered in Mura CMS

Critical RCE Vulnerability Discovered in Mura CMS

First seen 14 Jul 2026, 16:28 UTC Incibe.EsBeyondmachinescve.mitre.org 91% similarity 69.9

Article Content

Browse articles
ThreatCluster

Mura Software has disclosed a critical remote code execution (RCE) vulnerability in its Content Management System (CMS), tracked as CVE-2026-12257. This flaw affects versions prior to 10.0.712 and allows unauthenticated remote attackers to execute arbitrary code via the improperly sanitized 'method' parameter in POST requests to the API endpoint '/index.cfm/_api/json/v1/default'. The vulnerability has a CVSS score of 9.3, indicating a high severity level. No official fix has been reported as of the publication date, prompting administrators to restrict access to the affected endpoint and implement web application firewall rules to mitigate risks. The vulnerability was published on July 13, 2026, and is currently unpatched, raising concerns about potential exploitation.

Key Points: • CVE-2026-12257 is a critical RCE vulnerability in Mura CMS affecting versions before 10.0.712. • Attackers can exploit the flaw via crafted POST requests to the '/index.cfm/_api/json/v1/default' endpoint. • No official fix is available; administrators should restrict access and employ WAF rules.

ThreatCluster AI

Timeline

2026-07-13
CVE-2026-12257 published
Mura Software disclosed a critical RCE vulnerability in its CMS, affecting versions prior to 10.0.712.
Beyondmachines
2026-07-14
Vulnerability advisory released
INCIBE coordinated the publication of the RCE vulnerability, confirming its critical nature and lack of a fix.
Incibe.Es

Community

Browse all →