Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionGitHub Advisory
Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, a SQL injection vulnerability exists in the beanFeed.cfc component within the getQuery function's handling of the sortDirection parameter. The parameter value is concatenated directly into SQL queries without sanitization or parameterization. An unauthenticated remote attacker can exploit this to extract sensitive information, modify or delete database records, or potentially achieve remote code execution on the underlying database server.
This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, use a WAF to block or restrict access to the beanFeed.cfc component, or deploy rules to detect SQL injection patterns targeting the sortDirection parameter.
AnalysisAI
SQL injection in Masa CMS beanFeed.cfc allows unauthenticated remote attackers to extract sensitive database contents, modify records, delete data, or potentially execute code on the database server. The vulnerability affects multiple release branches (7.2.x through 7.5.x) and stems from unsanitized concatenation of the sortDirection parameter directly into SQL queries. With CVSS 9.3 (critical severity, network-accessible, no authentication required) and no public exploit currently identified, this represents a high-priority patching scenario for internet-facing Masa CMS deployments. Vendor-released patches are available across all affected branches.
Technical ContextAI
Masa CMS is an open source content management system built on ColdFusion. The vulnerability resides in beanFeed.cfc, a ColdFusion component responsible for content feed queries. The getQuery function constructs SQL statements by directly concatenating user-controlled input from the sortDirection parameter without using parameterized queries or input validation. This classic SQL injection flaw (CWE-89) allows arbitrary SQL commands to be injected into the ORDER BY clause or surrounding query context. ColdFusion's cfquery tag supports parameterized queries via cfqueryparam, which was not implemented here. The affected CPE (cpe:2.3:a:masacms:masacms) covers versions 7.2.0-7.2.9, 7.3.0-7.3.14, 7.4.0-7.4.9, and 7.5.0-7.5.2 across all deployment platforms.
RemediationAI
Upgrade immediately to the patched versions: 7.2.10 for the 7.2.x branch, 7.3.15 for 7.3.x, 7.4.10 for 7.4.x, or 7.5.3 for 7.5.x. Download patches from the official Masa CMS repository or GitHub advisory at https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-56cc-gxfr-hqp8. If immediate patching is not feasible, deploy web application firewall rules to block or restrict access to the beanFeed.cfc component entirely, or implement pattern-based detection for SQL injection attempts targeting the sortDirection parameter (look for SQL metacharacters like single quotes, semicolons, UNION keywords, comment sequences). Note that WAF-based blocking may break legitimate feed functionality if the component is actively used, requiring coordination with application owners. Restricting access by IP address or authentication layer provides defense-in-depth but does not eliminate risk from authenticated users or internal threats.
Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 a
Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerabl
Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the
SQL injection in Masa CMS 7.2.x through 7.5.2 allows unauthenticated remote attackers to extract sensitive database cont
SQL injection in Masa CMS 7.5.2 and earlier allows unauthenticated remote attackers to execute arbitrary SQL commands vi
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27480