Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionGitHub Advisory
Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, the unauthenticated JSON API accepts an altTable parameter that is stored via the setAltTable() method without validation or sanitization. This value is injected directly into a SQL FROM clause within feedGateway.cfc. An unauthenticated attacker can pass an arbitrary subquery into the altTable parameter to read sensitive data from any table in the database in a single HTTP request, including administrative credentials and password reset tokens.
This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, apply validation to the setAltTable function in core/mura/content/feed/feedBean.cfc to restrict input to simple alphanumeric table names, or disable the JSON API if it is not required.
AnalysisAI
SQL injection in Masa CMS 7.2.x through 7.5.2 allows unauthenticated remote attackers to extract sensitive database contents including administrative credentials and password reset tokens. The JSON API accepts unsanitized altTable parameters that are directly interpolated into SQL FROM clauses, enabling arbitrary subquery injection via feedGateway.cfc in a single HTTP request. CVSS 9.3 (Critical) with network vector, low complexity, and no authentication required. No public exploit or CISA KEV listing identified at time of analysis, but the technical details disclosed in the GitHub Security Advisory provide sufficient information for weaponization.
Technical ContextAI
Masa CMS is a CFML-based (ColdFusion Markup Language) open-source content management system. The vulnerability resides in the feed component's feedBean.cfc file, which implements a setAltTable() method for the JSON API. This method accepts user-controlled input via the altTable parameter without validation or parameterization and injects it directly into SQL FROM clauses within feedGateway.cfc. This is a classic first-order SQL injection (CWE-89) where attacker input flows directly from HTTP request to database query construction. The CFML query interface does not automatically parameterize dynamic table names, making this a common anti-pattern in legacy ColdFusion applications. The affected CPE (cpe:2.3:a:masacms:masacms) indicates this is the core MasaCMS product, not a third-party plugin.
RemediationAI
Upgrade to Masa CMS 7.2.10, 7.3.15, 7.4.10, or 7.5.3 depending on your current major.minor version branch as documented in https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-jphh-r686-6w7j. If immediate patching is not feasible, apply input validation to the setAltTable() function in core/mura/content/feed/feedBean.cfc to whitelist only alphanumeric table names using a regex pattern like ^[a-zA-Z0-9_]+$ and reject any input containing SQL syntax characters (spaces, parentheses, commas, quotes). Alternatively, disable the JSON API entirely if it is not required for business operations by removing or blocking access to the relevant API endpoints at the web server or application firewall level - note this will break any integrations dependent on the JSON API. Test the validation or API disablement thoroughly in a staging environment before production deployment, as overly restrictive validation may break legitimate table name references.
Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 a
Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerabl
Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the
SQL injection in Masa CMS beanFeed.cfc allows unauthenticated remote attackers to extract sensitive database contents, m
SQL injection in Masa CMS 7.5.2 and earlier allows unauthenticated remote attackers to execute arbitrary SQL commands vi
Same weakness CWE-89 – SQL Injection
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27482