CVE-2026-12076 CRITICAL

CVE-2026-12076: SQL Injection in Raytha CMS

Vendor Raytha
Product Raytha
Weakness CWE-89 · SQLi
Published June 30, 2026
Last update June 30, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Raytha CMS is vulnerable to SQL Injection within the OData filter parsing pipeline.  The vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL statements against the underlying PostgreSQL database, leading to full database compromise, including credential extraction. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 1.5.2 but may also affect other versions.

Key dates

02Disclosure timeline

June 30, 2026 CVE published
June 30, 2026 Record updated