Skip to main content

Masa CMS CVE-2026-40329

| EUVDEUVD-2026-27478 CRITICAL
SQL Injection (CWE-89)
2026-05-05 GitHub_M
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 05, 2026 - 21:32 EUVD
Analysis Generated
May 05, 2026 - 20:32 vuln.today
CVSS changed
May 05, 2026 - 20:22 NVD
9.3 (CRITICAL)

DescriptionGitHub Advisory

Masa CMS is an open source content management system. In versions 7.5.2 and earlier, a SQL injection vulnerability exists in the beanFeed.cfc component within the getQuery function's processing of the sortBy parameter. The application fails to properly sanitize or parameterize this input before incorporating it into dynamic SQL statements. An unauthenticated remote attacker can execute arbitrary SQL commands against the database, potentially gaining access to sensitive data, modifying or deleting records, or escalating privileges to administrative control.

This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, configure WAF rules to block malicious SQL patterns in the sortBy parameter sent to beanFeed.cfc.

AnalysisAI

SQL injection in Masa CMS 7.5.2 and earlier allows unauthenticated remote attackers to execute arbitrary SQL commands via the sortBy parameter in beanFeed.cfc. The vulnerability enables database compromise including sensitive data exfiltration, record manipulation, and privilege escalation to administrative control. Fixed versions released for all affected branches (7.2.10, 7.3.15, 7.4.10, 7.5.3). CVSS 9.3 reflects network vector with no authentication required and high impact across confidentiality, integrity, and availability. No active exploitation confirmed at time of analysis, though the attack surface is fully exposed to internet-facing instances.

Technical ContextAI

The vulnerability resides in the beanFeed.cfc ColdFusion component's getQuery function, which constructs dynamic SQL queries using unsanitized user input from the sortBy parameter. CWE-89 (SQL Injection) occurs when applications concatenate or interpolate untrusted data directly into SQL statements rather than using parameterized queries or prepared statements. In ColdFusion applications, this typically manifests when cfquery tags use string concatenation with form or URL parameters. The affected component cpe:2.3:a:masacms:masacms handles content feed generation, suggesting the sortBy parameter controls result ordering in database queries. Without proper input validation or query parameterization, attackers can inject SQL metacharacters to break out of the intended query context and execute arbitrary SQL commands against the underlying database (likely MySQL, MSSQL, or similar RDBMS commonly used with ColdFusion).

RemediationAI

Upgrade immediately to patched versions: 7.2.10 for 7.2.x branch, 7.3.15 for 7.3.x branch, 7.4.10 for 7.4.x branch, or 7.5.3 for 7.5.x branch as documented in GitHub Security Advisory GHSA-3xpq-q494-8qq4. The vendor has backported fixes across all maintained release lines enabling in-place upgrades without major version migration. For environments unable to patch immediately, implement Web Application Firewall rules targeting the sortBy parameter in requests to beanFeed.cfc endpoints - specifically blocking SQL metacharacters (single quotes, semicolons, UNION keywords, comment sequences) and common injection patterns. Note that WAF-based mitigation provides defense-in-depth only and may be bypassed via encoding or obfuscation techniques; this is a temporary measure only until patching completes. Review database permissions for the ColdFusion application's database user account and reduce to minimum required privileges to limit post-exploitation impact. Audit application logs for suspicious sortBy parameter values indicating exploitation attempts prior to patching.

Share

CVE-2026-40329 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy