CVE-2026-12257
Mura Software · CMS
Mura Software CMS contains a critical remote code execution vulnerability via the “method” parameter in the “/index.cfm/_api/json/v1/default” endpoint, allowing unauthenticated injection of CFML code.
Executive summary
A critical remote code execution vulnerability in Mura Software CMS allows unauthenticated attackers to execute arbitrary code, posing a severe risk to system integrity and confidentiality.
Vulnerability
This vulnerability is a code injection flaw (CWE-94) triggered by improper validation of the "method" parameter within POST requests. The attacker requires no authentication (AV:N/AC:L/AT:N/PR:N) to reach the affected endpoint and execute arbitrary ColdFusion Markup Language (CFML) expressions.
Business impact
The ability for an unauthenticated attacker to execute arbitrary code typically results in a total compromise of the affected server. Given the CVSS score of 9.3, this represents an extreme risk, enabling unauthorized data access, lateral movement within the network, and potential full system takeover.
Remediation
Immediate Action: As there is currently no official patch, administrators should restrict network access to the affected endpoint or disable the vulnerable API functionality if it is not business-critical.
Proactive Monitoring: Monitor server logs for suspicious POST requests directed at "/index.cfm/_api/json/v1/default" containing CFML syntax or unusual Java object instantiations.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block malicious payloads targeting ColdFusion engine parameters and unexpected input in API method calls.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
This vulnerability is highly severe and requires immediate attention to prevent potential exploitation. Because no official vendor solution is currently available, prioritize the implementation of network-level access controls and WAF filtering to shield the vulnerable endpoint until a patch is released.