Description
Masa CMS is an open source content management system. In versions 7.5.2 and earlier, a SQL injection vulnerability exists in the beanFeed.cfc component within the getQuery function's processing of the sortBy parameter. The application fails to properly sanitize or parameterize this input before incorporating it into dynamic SQL statements. An unauthenticated remote attacker can execute arbitrary SQL commands against the database, potentially gaining access to sensitive data, modifying or deleting records, or escalating privileges to administrative control.

This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, configure WAF rules to block malicious SQL patterns in the sortBy parameter sent to beanFeed.cfc.
Published: 2026-05-05
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Masa CMS is vulnerable to SQL injection through the sortBy parameter in the beanFeed.cfc component. Because the input is concatenated into a dynamic SQL query without sanitization or parameterization, an attacker can inject arbitrary SQL statements. This flaw can compromise confidentiality, integrity, and availability of the underlying database, allowing data exfiltration, modification, deletion, or privilege escalation to administrative roles. The weakness corresponds to CWE-89: SQL Injection.

Affected Systems

The affected product is MasaCMS MasaCMS, specifically versions 7.5.2 and earlier. The vulnerability is mitigated in released versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. Administrators should confirm their installation is at a patched level or higher. A suggested temporary safeguard is to enforce WAF rules that block malicious SQL patterns in the sortBy parameter when it is sent to beanFeed.cfc.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3, indicating critical severity. The EPSS score is not provided, and the issue is not listed in the CISA KEV catalog, so publicly available exploitation data is limited. Based on the description, the likely attack vector is an unauthenticated remote attacker sending crafted sortBy values within HTTP requests to beanFeed.cfc, which triggers the vulnerable SQL statement. The lack of authentication requirement and the dynamic query construction make exploitation straightforward for an attacker who can observe the endpoint.

Generated by OpenCVE AI on May 5, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MasaCMS to a patched release—7.2.10, 7.3.15, 7.4.10, 7.5.3 or later.
  • Configure the web application firewall to reject SQL injection patterns in the sortBy parameter sent to beanFeed.cfc.
  • Monitor HTTP traffic for suspicious sortBy values and examine application logs for malicious SQL activity.

Generated by OpenCVE AI on May 5, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Masacms
Masacms masacms
Vendors & Products Masacms
Masacms masacms

Tue, 05 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Masa CMS is an open source content management system. In versions 7.5.2 and earlier, a SQL injection vulnerability exists in the beanFeed.cfc component within the getQuery function's processing of the sortBy parameter. The application fails to properly sanitize or parameterize this input before incorporating it into dynamic SQL statements. An unauthenticated remote attacker can execute arbitrary SQL commands against the database, potentially gaining access to sensitive data, modifying or deleting records, or escalating privileges to administrative control. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, configure WAF rules to block malicious SQL patterns in the sortBy parameter sent to beanFeed.cfc.
Title SQL Injection vulnerability via sortBy in beanFeed
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Masacms Masacms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T19:44:32.322Z

Reserved: 2026-04-10T22:50:01.357Z

Link: CVE-2026-40329

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-05T20:16:38.790

Modified: 2026-05-05T20:24:04.853

Link: CVE-2026-40329

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T22:30:33Z

Weaknesses