PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-38930 OpenRapid CVE debrief

CVE-2026-38930 describes an authentication bypass vulnerability in OpenRapid RapidCMS v1.3.1, specifically within the /template/default/menu.php component. The vulnerability can be exploited by injecting a crafted SQL payload into the 'name' cookie parameter. The CVE was published on 2026-05-27 and subsequently modified later that same day. The vulnerability status in the National Vulnerability Database is currently listed as 'Deferred'. The vendor attribution is marked as low confidence and flagged for review, with 'Openrapid' identified as a candidate vendor based on reference domain analysis. No CVSS score or severity rating has been assigned. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Vendor
OpenRapid
Product
RapidCMS
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running OpenRapid RapidCMS v1.3.1, security teams monitoring deferred CVEs for status changes, and defenders responsible for web application security in PHP-based content management systems

Technical summary

The vulnerability exists in the /template/default/menu.php component of RapidCMS v1.3.1, where insufficient sanitization of the 'name' cookie parameter allows SQL injection that can bypass authentication controls. The attack vector requires the attacker to craft a malicious SQL payload and inject it via the cookie value.

Defensive priority

medium

Recommended defensive actions

  • Review and validate vendor attribution for OpenRapid/RapidCMS, as current confidence is low and flagged for review
  • Monitor NVD for CVSS score assignment and vulnerability status updates from 'Deferred'
  • If RapidCMS v1.3.1 is deployed, audit /template/default/menu.php for SQL injection vulnerabilities in cookie handling
  • Implement input validation and parameterized queries for all cookie parameters, particularly 'name'
  • Consider web application firewall rules to detect SQL injection patterns in cookie values
  • Review third-party security research at ref-6 for additional technical details pending vendor confirmation

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. Vendor attribution marked as low confidence with 'needsReview' flag. VulnStatus 'Deferred' per NVD metadata. No CVSS vector or weaknesses enumerated in source data.

Official resources

2026-05-27