CRITICAL
Mura Software
CVE published 2026-07-13
CVE-2026-12257
A critical remote code execution vulnerability exists in Mura CMS versions prior to 10.0.712. The vulnerability is located in the endpoint '/index.cfm/_api/json/v1/default', where the 'method' parameter in POST requests is not properly validated or sanitised before being processed by the ColdFusion engine. This allows a remote attacker to inject and execute arbitrary CFML expressions and instantiate malic [truncated]