# SSCMS SQL Injection via stl:sqlContent queryString (CVE-2026-7435)
**Author:** Beatriz Fresno Naumova, hss94531\
\
**Date:** 30/04/2026\
\
**Vendor:** siteserver\
\
**Product:** SSCMS\
\
**Version Affected:** 7.4.0\
\
**Component:** STL processing / `stl:sqlContent`\
\
**CWE:** CWE-89 – Improper Neutralization of Special Elements used in an SQL Command\
\
**Attack Vector:** Network
### Description
SSCMS v7.4.0 contains a SQL Injection vulnerability in the `stl:sqlContent` tag, specifically through the `queryString` attribute.
The value supplied in `queryString` is passed directly to database execution without proper parameterization or sanitization. By crafting encrypted payloads submitted to the `/api/stl/actions/dynamic` endpoint, an attacker can execute arbitrary SQL statements against the underlying database.
### Impact
Successful exploitation may allow:
* Unauthorized database access
* Sensitive data disclosure
* Authentication bypass
* Data modification
* Complete database compromise
### CVSS Details
**CVSS v3.1 Vector:**\
`CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H`
**Base Score:** 7.2 (High)
**CVSS v4.0 Vector:**\
`CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N`
**Base Score:** 8.6 (High)
### Proof of Concept (PoC)
#### Steps to Reproduce
1. **Set up a vulnerable environment:**
* SSCMS v7.4.0
* SQLite database
* Administrator access (to obtain or generate the `security_key`, if required)
2. **Identify the vulnerable behavior:**
* The endpoint `/api/stl/actions/dynamic` accepts encrypted STL content.
* This content is decrypted and processed on the server.
* The `queryString` attribute within the `stl:sqlContent` tag is directly embedded into SQL queries without parameterization.
3. **Craft a malicious STL payload:**
```xml
```
4. Encrypt the payload:
* Use the system’s `security_key` to encrypt the STL content.
* In lab environments, this key may be hardcoded (e.g., in Docker) to simplify reproduction.
* If the key is unknown, it can be obtained by authenticating as an administrator and generating valid STL content.
5. Send the encrypted payload to the vulnerable endpoint:
* Submit a POST request to `/api/stl/actions/dynamic` with the encrypted value.
6. Verify exploitation:
* If successful, the response will include the result of the executed SQL query.
* Arbitrary SQL queries can be executed, including:
* Database schema extraction (`sqlite_master`)
* Sensitive data retrieval
* Data modification
### Mitigation
* Avoid passing user-controlled input directly into SQL queries.
* Use parameterized queries or prepared statements.
* Validate and sanitize STL template attributes before execution.
* Restrict access to STL dynamic processing functionality.
* Update SSCMS to a patched version when available.
### Discoverer
* Beatriz Fresno Naumova
* hss94531
### References
* **CVE:**
* **VulnCheck Advisory:** [https://www.vulncheck.com/advisories/sscms-sql-injection-via-stl-sqlcontent-querystring](/beafn28/cve-and-poc/sscms-sql-injection-via-stl-sqlcontent-querystring-cve-2026-7435.md)
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://beafn28.gitbook.io/beafn28/cve-and-poc/sscms-sql-injection-via-stl-sqlcontent-querystring-cve-2026-7435.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.