Skip to main content

Masa CMS EUVDEUVD-2026-27482

| CVE-2026-40331 CRITICAL
SQL Injection (CWE-89)
2026-05-05 GitHub_M
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 05, 2026 - 20:33 vuln.today
CVSS changed
May 05, 2026 - 20:22 NVD
9.3 (CRITICAL)

DescriptionGitHub Advisory

Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, the unauthenticated JSON API accepts an altTable parameter that is stored via the setAltTable() method without validation or sanitization. This value is injected directly into a SQL FROM clause within feedGateway.cfc. An unauthenticated attacker can pass an arbitrary subquery into the altTable parameter to read sensitive data from any table in the database in a single HTTP request, including administrative credentials and password reset tokens.

This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, apply validation to the setAltTable function in core/mura/content/feed/feedBean.cfc to restrict input to simple alphanumeric table names, or disable the JSON API if it is not required.

AnalysisAI

SQL injection in Masa CMS 7.2.x through 7.5.2 allows unauthenticated remote attackers to extract sensitive database contents including administrative credentials and password reset tokens. The JSON API accepts unsanitized altTable parameters that are directly interpolated into SQL FROM clauses, enabling arbitrary subquery injection via feedGateway.cfc in a single HTTP request. CVSS 9.3 (Critical) with network vector, low complexity, and no authentication required. No public exploit or CISA KEV listing identified at time of analysis, but the technical details disclosed in the GitHub Security Advisory provide sufficient information for weaponization.

Technical ContextAI

Masa CMS is a CFML-based (ColdFusion Markup Language) open-source content management system. The vulnerability resides in the feed component's feedBean.cfc file, which implements a setAltTable() method for the JSON API. This method accepts user-controlled input via the altTable parameter without validation or parameterization and injects it directly into SQL FROM clauses within feedGateway.cfc. This is a classic first-order SQL injection (CWE-89) where attacker input flows directly from HTTP request to database query construction. The CFML query interface does not automatically parameterize dynamic table names, making this a common anti-pattern in legacy ColdFusion applications. The affected CPE (cpe:2.3:a:masacms:masacms) indicates this is the core MasaCMS product, not a third-party plugin.

RemediationAI

Upgrade to Masa CMS 7.2.10, 7.3.15, 7.4.10, or 7.5.3 depending on your current major.minor version branch as documented in https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-jphh-r686-6w7j. If immediate patching is not feasible, apply input validation to the setAltTable() function in core/mura/content/feed/feedBean.cfc to whitelist only alphanumeric table names using a regex pattern like ^[a-zA-Z0-9_]+$ and reject any input containing SQL syntax characters (spaces, parentheses, commas, quotes). Alternatively, disable the JSON API entirely if it is not required for business operations by removing or blocking access to the relevant API endpoints at the web server or application firewall level - note this will break any integrations dependent on the JSON API. Test the validation or API disablement thoroughly in a staging environment before production deployment, as overly restrictive validation may break legitimate table name references.

Share

EUVD-2026-27482 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy