Skip to main content

Masa CMS CVE-2026-40330

| EUVDEUVD-2026-27480 CRITICAL
SQL Injection (CWE-89)
2026-05-05 GitHub_M
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 05, 2026 - 20:32 vuln.today
CVSS changed
May 05, 2026 - 20:22 NVD
9.3 (CRITICAL)

DescriptionGitHub Advisory

Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, a SQL injection vulnerability exists in the beanFeed.cfc component within the getQuery function's handling of the sortDirection parameter. The parameter value is concatenated directly into SQL queries without sanitization or parameterization. An unauthenticated remote attacker can exploit this to extract sensitive information, modify or delete database records, or potentially achieve remote code execution on the underlying database server.

This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, use a WAF to block or restrict access to the beanFeed.cfc component, or deploy rules to detect SQL injection patterns targeting the sortDirection parameter.

AnalysisAI

SQL injection in Masa CMS beanFeed.cfc allows unauthenticated remote attackers to extract sensitive database contents, modify records, delete data, or potentially execute code on the database server. The vulnerability affects multiple release branches (7.2.x through 7.5.x) and stems from unsanitized concatenation of the sortDirection parameter directly into SQL queries. With CVSS 9.3 (critical severity, network-accessible, no authentication required) and no public exploit currently identified, this represents a high-priority patching scenario for internet-facing Masa CMS deployments. Vendor-released patches are available across all affected branches.

Technical ContextAI

Masa CMS is an open source content management system built on ColdFusion. The vulnerability resides in beanFeed.cfc, a ColdFusion component responsible for content feed queries. The getQuery function constructs SQL statements by directly concatenating user-controlled input from the sortDirection parameter without using parameterized queries or input validation. This classic SQL injection flaw (CWE-89) allows arbitrary SQL commands to be injected into the ORDER BY clause or surrounding query context. ColdFusion's cfquery tag supports parameterized queries via cfqueryparam, which was not implemented here. The affected CPE (cpe:2.3:a:masacms:masacms) covers versions 7.2.0-7.2.9, 7.3.0-7.3.14, 7.4.0-7.4.9, and 7.5.0-7.5.2 across all deployment platforms.

RemediationAI

Upgrade immediately to the patched versions: 7.2.10 for the 7.2.x branch, 7.3.15 for 7.3.x, 7.4.10 for 7.4.x, or 7.5.3 for 7.5.x. Download patches from the official Masa CMS repository or GitHub advisory at https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-56cc-gxfr-hqp8. If immediate patching is not feasible, deploy web application firewall rules to block or restrict access to the beanFeed.cfc component entirely, or implement pattern-based detection for SQL injection attempts targeting the sortDirection parameter (look for SQL metacharacters like single quotes, semicolons, UNION keywords, comment sequences). Note that WAF-based blocking may break legitimate feed functionality if the component is actively used, requiring coordination with application owners. Restricting access by IP address or authentication layer provides defense-in-depth but does not eliminate risk from authenticated users or internal threats.

Share

CVE-2026-40330 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy