| CVE ID | CVE-2026-12076 |
| Publication date | 30 June 2026 |
| Vendor | Raytha |
| Product | Raytha |
| Vulnerable versions | 1.5.2 |
| Vulnerability type (CWE) | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerability in Raytha CMS software and participated in coordination of its disclosure.
The vulnerability CVE-2026-12076: Raytha CMS is vulnerable to SQL Injection within the OData filter parsing pipeline. The vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL statements against the underlying PostgreSQL database, leading to full database compromise, including credential extraction.
Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 1.5.2 but may also affect other versions.
Credits
We thank Arkadiusz Marta for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.