Beyondmachines
Critical RCE Vulnerability Discovered in Mura CMS
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Mura Software has disclosed a critical remote code execution (RCE) vulnerability in its Content Management System (CMS), tracked as CVE-2026-12257. This flaw affects versions prior to 10.0.712 and allows unauthenticated remote attackers to execute arbitrary code via the improperly sanitized 'method' parameter in POST requests to the API endpoint '/index.cfm/_api/json/v1/default'. The vulnerability has a CVSS score of 9.3, indicating a high severity level. No official fix has been reported as of the publication date, prompting administrators to restrict access to the affected endpoint and implement web application firewall rules to mitigate risks. The vulnerability was published on July 13, 2026, and is currently unpatched, raising concerns about potential exploitation.
Key Points: • CVE-2026-12257 is a critical RCE vulnerability in Mura CMS affecting versions before 10.0.712. • Attackers can exploit the flaw via crafted POST requests to the '/index.cfm/_api/json/v1/default' endpoint. • No official fix is available; administrators should restrict access and employ WAF rules.