PatchSiren

Mura Software CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL Mura Software CVE published 2026-07-13

CVE-2026-12257

A critical remote code execution vulnerability exists in Mura CMS versions prior to 10.0.712. The vulnerability is located in the endpoint '/index.cfm/_api/json/v1/default', where the 'method' parameter in POST requests is not properly validated or sanitised before being processed by the ColdFusion engine. This allows a remote attacker to inject and execute arbitrary CFML expressions and instantiate malic [truncated]