CVE-2025-56316
Published: 17 October 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-56316 is a SQL injection vulnerability (CWE-89) in MCMS 5.5.0, published on 2025-10-17. The flaw exists in the content_title parameter of the /cms/content/list endpoint, where unsanitized user input during FreeMarker template rendering enables remote attackers to execute arbitrary SQL queries. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.
Unauthenticated remote attackers can exploit this vulnerability by sending crafted requests to the affected endpoint. Successful exploitation allows execution of arbitrary SQL queries, potentially resulting in high confidentiality, integrity, and availability impacts, such as unauthorized data access, modification, or system disruption.
Advisories and additional details are available in the referenced GitHub Gist at https://gist.github.com/Erosion2020/5892757e0c6eeb647a218d1c3b323cff and the MCMS GitHub repository at https://github.com/ming-soft/MCMS.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in a public-facing web application endpoint directly enables T1190 (Exploit Public-Facing Application). Arbitrary SQL query execution facilitates T1213.006 (Data from Information Repositories: Databases) for unauthorized data access.