Published:2026/04/23 Last Updated:2026/04/23
JVN#08026319
CMS ALAYA vulnerable to SQL injection
Overview
CMS ALAYA provided by KANATA Limited contains an SQL injection vulnerability.
Products Affected
- CMS ALAYA versions 7.4.1.4 and earlier
Description
CMS ALAYA provided by KANATA Limited contains the following vulnerability.
- SQL injection (CWE-89)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N Base Score 5.1
- CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Base Score 4.7
- CVE-2026-40529
Impact
Information stored in the database may be obtained or altered by an attacker with access to the administrative interface.
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Naoto Senda of Five Drive Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2026-40529 |
| JVN iPedia |
JVNDB-2026-000062 |