CVE-2025-56316: 
Java vulnerability analysis and mitigation

A SQL injection vulnerability has been discovered in MCMS version 5.5.0 through 6.0.1, identified as CVE-2025-56316. The vulnerability exists in the content_title parameter of the /cms/content/list endpoint, where unsanitized user input in the FreeMarker template rendering allows remote attackers to execute arbitrary SQL queries. The vulnerability was discovered in October 2025 and has been fixed in version 6.0.2 (MITRE, GitHub POC).

The vulnerability stems from the application's use of template-based SQL construction where user input is directly rendered into SQL queries without proper sanitization. The backend renders SQL from templates using unsanitized user input, particularly when the database is configured with allowMultiQueries=true. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its severe impact and ease of exploitation (MITRE).

The vulnerability can lead to multiple severe consequences. Attackers can inject stacked queries to create or modify administrator accounts without authentication. If the database user has elevated privileges (e.g., root), attackers can leverage INTO DUMPFILE to write malicious files such as cron jobs or User-Defined Functions (UDFs), potentially leading to full system compromise. This could result in unauthorized access, data breach, and remote code execution (GitHub POC).

Users are advised to upgrade to MCMS version 6.0.2 or later which contains the fix for this vulnerability. Additional security measures include: avoiding enablement of allowMultiQueries=true in production environments, running the database under a least-privilege account (never as root), replacing template-based raw SQL with parameterized queries and input whitelists, and implementing proper validation of MySQL-specific syntax at application boundaries (GitHub POC).