CVE-2026-7435
Published: 30 April 2026
Summary
CVE-2026-7435 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-7435, published on 2026-04-30, is a SQL injection vulnerability (CWE-89) in SSCMS v7.4.0. The flaw resides in the stl:sqlContent tag, where the queryString attribute is passed directly to database execution without parameterization or sanitization. It has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H), indicating high severity due to network accessibility, low attack complexity, high privileges required, and high impacts on confidentiality, integrity, and availability.
Attackers with high privileges can exploit the vulnerability by crafting encrypted payloads and submitting them to the /api/stl/actions/dynamic endpoint. This enables execution of arbitrary SQL statements, potentially leading to unauthorized database access, data disclosure, authentication bypass, data modification, or complete database compromise.
Mitigation details are available in related advisories and resources, including the VulnCheck advisory at https://www.vulncheck.com/advisories/sscms-sql-injection-via-stl-sqlcontent-querystring, the GitHub issue at https://github.com/siteserver/cms/issues/3891, and the SSCMS repository at https://github.com/siteserver/cms.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26437
Vulnerability details
SSCMS v7.4.0 contains a SQL injection vulnerability in the stl:sqlContent tag where the queryString attribute is passed directly to database execution without parameterization or sanitization. Attackers can craft encrypted payloads submitted to the /api/stl/actions/dynamic endpoint to execute arbitrary SQL statements,…
more
leading to unauthorized database access, data disclosure, authentication bypass, data modification, or complete database compromise.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app (SSCMS) directly enables T1190 (Exploit Public-Facing Application) via the /api endpoint; arbitrary SQL execution facilitates T1213.006 (Data from Information Repositories: Databases) for data disclosure/modification.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted inputs like the queryString attribute before database execution to prevent SQL injection exploitation.
Mandates identification, reporting, and correction of flaws such as the lack of parameterization in the stl:sqlContent tag, enabling patching to eliminate the vulnerability.
Requires scanning for vulnerabilities like this SQL injection in SSCMS and timely remediation to prevent exploitation via the /api/stl/actions/dynamic endpoint.