Ctrlk

SSCMS SQL Injection via stl:sqlContent queryString (CVE-2026-7435)

Author: Beatriz Fresno Naumova, hss94531 Date: 30/04/2026 Vendor: siteserver Product: SSCMS Version Affected: 7.4.0 Component: STL processing / stl:sqlContent CWE: CWE-89 – Improper Neutralization of Special Elements used in an SQL Command Attack Vector: Network

Description

SSCMS v7.4.0 contains a SQL Injection vulnerability in the stl:sqlContent tag, specifically through the queryString attribute.

The value supplied in queryString is passed directly to database execution without proper parameterization or sanitization. By crafting encrypted payloads submitted to the /api/stl/actions/dynamic endpoint, an attacker can execute arbitrary SQL statements against the underlying database.

Impact

Successful exploitation may allow:

  • Unauthorized database access

  • Sensitive data disclosure

  • Authentication bypass

  • Data modification

  • Complete database compromise

CVSS Details

CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Base Score: 7.2 (High)

CVSS v4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Base Score: 8.6 (High)

Proof of Concept (PoC)

Steps to Reproduce

  1. Set up a vulnerable environment:

    • SSCMS v7.4.0

    • SQLite database

    • Administrator access (to obtain or generate the security_key, if required)

  2. Identify the vulnerable behavior:

    • The endpoint /api/stl/actions/dynamic accepts encrypted STL content.

    • This content is decrypted and processed on the server.

    • The queryString attribute within the stl:sqlContent tag is directly embedded into SQL queries without parameterization.

  3. Craft a malicious STL payload:

  1. Encrypt the payload:

    • Use the system’s security_key to encrypt the STL content.

    • In lab environments, this key may be hardcoded (e.g., in Docker) to simplify reproduction.

    • If the key is unknown, it can be obtained by authenticating as an administrator and generating valid STL content.

  2. Send the encrypted payload to the vulnerable endpoint:

    • Submit a POST request to /api/stl/actions/dynamic with the encrypted value.

  3. Verify exploitation:

    • If successful, the response will include the result of the executed SQL query.

    • Arbitrary SQL queries can be executed, including:

      • Database schema extraction (sqlite_master)

      • Sensitive data retrieval

      • Data modification

Mitigation

  • Avoid passing user-controlled input directly into SQL queries.

  • Use parameterized queries or prepared statements.

  • Validate and sanitize STL template attributes before execution.

  • Restrict access to STL dynamic processing functionality.

  • Update SSCMS to a patched version when available.

Discoverer

  • Beatriz Fresno Naumova

  • hss94531

References

PreviousPoC- CVE-2025-4123 - SSRF / XSS via Open Redirect (Grafana)NextSSCMS Reflected Cross-Site Scripting via STL Processing (CVE-2026-7429)

Last updated