CVE-2025-56316

CRITICAL9.8EPSS 0.16%

MCMS vulnerable SQL injection via the content_title parameter

Published: 10/17/2025Modified: 10/21/2025

Description

A SQL injection vulnerability in the content_title parameter of the /cms/content/list endpoint in MCMS 5.5.0 through 6.0.1 allows remote attackers to execute arbitrary SQL queries via unsanitized input in the FreeMarker template rendering.

Affected packages (1)

Maven/net.mingsoft:ms-mcms>= 5.5.0, < 6.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-56316
PATCHhttps://github.com/ming-soft/MCMS
WEBhttps://gist.github.com/Erosion2020/5892757e0c6eeb647a218d1c3b323cff
WEBhttps://github.com/ming-soft/MCMS/commit/35ccbf1e3d38ab6aa178524a47c38dff6b448b59