CVE-2026-36962

Vulnerability

Analysis

MuuCMF T6 v1.9.4.20260115 contains an SQL injection vulnerability in the /index/controller/Search.php endpoint. The getListByPage() function in app/common/model/Base.php uses whereRaw() when the $map parameter is not an array, allowing raw SQL clauses to be injected. The search controller passes user-supplied keyword input directly into this function without proper sanitization, only trimming whitespace and splitting on spaces, which enables an attacker to append malicious SQL commands [1].

An unauthenticated attacker can exploit this by sending a crafted HTTP request to /index/Search/index.html?keyword= request. No authentication or special network position is required; the vulnerable endpoint is publicly accessible. The injection occurs via the keyword parameter, which is processed by the getListByPage() function that constructs the WHERE clause using user input, bypassing the parameterized query path taken when $map is an array [1].

Impact is severe: an attacker can extract the entire database, including user credentials and administrative tokens, potentially achieving unauthorized administrative access. Critically, depending on the MySQL server configuration (specifically secure_file_priv), the attacker can write a web shell to the server's file system, gaining remote code execution (RCE) on the underlying host [1].

As of the disclosed information, the vulnerability exists in version 1.9.4.20260115 and was also confirmed in a later version 1.9.5.20260309. Users should apply any available patches or consider upgrading to a fixed version. Until a patch is available, strict input validation and disabling the use of whereRaw with user-controllable data are recommended mitigation measures [1].