Which versions of Masa CMS are affected by CVE-2026-40331?

Masa CMS versions 7.2.x through 7.5.2 contain a critical unauthenticated SQL injection vulnerability that allows remote attackers to extract administrative credentials and password reset tokens…

Masa CMS CVE-2026-40331

Q: What is the CVSS score of CVE-2026-40331?

CVE-2026-40331 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-27482 CRITICAL

SQL Injection (CWE-89)

2026-05-05 GitHub_M

Information Disclosure SQLi

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

May 05, 2026 - 20:33 vuln.today

CVSS changed

May 05, 2026 - 20:22 NVD

9.3 (CRITICAL)

DescriptionNVD

Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, the unauthenticated JSON API accepts an altTable parameter that is stored via the setAltTable() method without validation or sanitization. This value is injected directly into a SQL FROM clause within feedGateway.cfc. An unauthenticated attacker can pass an arbitrary subquery into the altTable parameter to read sensitive data from any table in the database in a single HTTP request, including administrative credentials and password reset tokens.

This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, apply validation to the setAltTable function in core/mura/content/feed/feedBean.cfc to restrict input to simple alphanumeric table names, or disable the JSON API if it is not required.

AnalysisAI

SQL injection in Masa CMS 7.2.x through 7.5.2 allows unauthenticated remote attackers to extract sensitive database contents including administrative credentials and password reset tokens. The JSON API accepts unsanitized altTable parameters that are directly interpolated into SQL FROM clauses, enabling arbitrary subquery injection via feedGateway.cfc in a single HTTP request. …

RemediationAI

Within 24 hours: Identify all Masa CMS deployments and determine installed versions; isolate any running versions 7.2.x through 7.5.2 from production if possible and restrict network access to the feedGateway.cfc endpoint. Within 7 days: Contact Masa CMS vendor for patch availability and timeline; implement Web Application Firewall (WAF) rules to block requests containing 'altTable' parameters to feedGateway.cfc as interim mitigation. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-40331 vulnerability details – vuln.today

Back

Masa CMS CVE-2026-40331

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Masa CMS CVE-2026-40331

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code