CVE-2026-12257

Mura Software · CMS

Mura Software CMS contains a critical remote code execution vulnerability via the “method” parameter in the “/index.cfm/_api/json/v1/default” endpoint, allowing unauthenticated injection of CFML code.

Executive summary

A critical remote code execution vulnerability in Mura Software CMS allows unauthenticated attackers to execute arbitrary code, posing a severe risk to system integrity and confidentiality.

Vulnerability

This vulnerability is a code injection flaw (CWE-94) triggered by improper validation of the "method" parameter within POST requests. The attacker requires no authentication (AV:N/AC:L/AT:N/PR:N) to reach the affected endpoint and execute arbitrary ColdFusion Markup Language (CFML) expressions.

Business impact

The ability for an unauthenticated attacker to execute arbitrary code typically results in a total compromise of the affected server. Given the CVSS score of 9.3, this represents an extreme risk, enabling unauthorized data access, lateral movement within the network, and potential full system takeover.

Remediation

Immediate Action: As there is currently no official patch, administrators should restrict network access to the affected endpoint or disable the vulnerable API functionality if it is not business-critical.

Proactive Monitoring: Monitor server logs for suspicious POST requests directed at "/index.cfm/_api/json/v1/default" containing CFML syntax or unusual Java object instantiations.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block malicious payloads targeting ColdFusion engine parameters and unexpected input in API method calls.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability is highly severe and requires immediate attention to prevent potential exploitation. Because no official vendor solution is currently available, prioritize the implementation of network-level access controls and WAF filtering to shield the vulnerable endpoint until a patch is released.