CVE-2026-36962

HIGH

MuuCMF T6 1.9.4.20260115 - SQL Injection

Title source: llm

Description

SQL Injection in MuuCMF T6 v1.9.4.20260115 allows an unauthenticated attacker to compromise the entire database, achieve unauthorized administrative access, and potentially gain remote code execution by writing malicious files to the server's file system via the keyword parameter in the /index/controller/Search.php endpoint.

References (2)

Core 2

Core References

https://gitee.com/dameng100/muucmf

https://thinhneee.github.io/posts/muucmf-sqli/

Scores

CVSS v3 7.3

EPSS 0.0036

EPSS Percentile 28.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Published May 11, 2026

Tracked Since May 11, 2026