PatchSiren cyber security CVE debrief

CVE-2016-7400 Exponentcms CVE debrief

CVE-2016-7400 is a critical SQL injection issue in Exponent CMS before version 2.4.0. The weakness affects multiple request parameters across different controller actions, which means a remote attacker could influence database queries and execute arbitrary SQL commands if the vulnerable paths are exposed. Because the CVSS base score is 9.8 and the attack vector is network-based with no authentication required, this is a high-priority remediation item for any internet-facing Exponent CMS deployment.

Vendor: Exponentcms
Product: CVE-2016-7400
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-07
Original CVE updated: 2026-05-13
Advisory published: 2017-02-07
Advisory updated: 2026-05-13

Who should care

Administrators, developers, and security teams responsible for Exponent CMS instances running 2.3.9 or earlier should treat this as urgent. Any system exposing the affected controller actions should be reviewed, especially public-facing sites that process blog, address, or comment-related requests.

Technical summary

NVD describes multiple SQL injection vulnerabilities in Exponent CMS before 2.4.0 affecting the id parameter in an activate_address address controller action, the title parameter in a show blog controller action, and the content_id parameter in a showComments expComment controller action. The NVD record maps the issue to CWE-89 and rates it CVSS 3.0 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating remote exploitation without privileges or user interaction.

Defensive priority

Critical. The combination of remote reachability, no authentication requirement, and full confidentiality/integrity/availability impact makes this a top-tier patching and exposure-reduction item.

Recommended defensive actions

Upgrade Exponent CMS to version 2.4.0 or later as the primary remediation.
Identify all deployed Exponent CMS instances and confirm whether any are at or below version 2.3.9.
Review web application logs for suspicious requests targeting the affected controller actions and parameters.
Apply compensating controls for any systems that cannot be upgraded immediately, such as restricting access to the application and monitoring database activity closely.
Validate that custom code or extensions do not reintroduce unsafe SQL construction patterns around the affected request paths.

Evidence notes

The NVD record lists the affected version range as all Exponent CMS versions through 2.3.9 and records CWE-89 with a CVSS 3.0 score of 9.8. The reference set includes vendor and patch links, including a GitHub commit and the v2.4.0 release tag, which support the upgrade boundary. The CVE record was published on 2017-02-07, while the reference list also points to September 2016 advisory material, suggesting earlier public discussion before CVE publication.

Official resources

CVE-2016-7400 CVE record
CVE.org
CVE-2016-7400 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
Source reference
[email protected]
Source reference
[email protected]

The CVE record was published on 2017-02-07. NVD references include earlier September 2016 mailing list advisories, along with vendor patch and release references for Exponent CMS 2.4.0.