Description
Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, a SQL injection vulnerability exists in the beanFeed.cfc component within the getQuery function's handling of the sortDirection parameter. The parameter value is concatenated directly into SQL queries without sanitization or parameterization. An unauthenticated remote attacker can exploit this to extract sensitive information, modify or delete database records, or potentially achieve remote code execution on the underlying database server.

This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, use a WAF to block or restrict access to the beanFeed.cfc component, or deploy rules to detect SQL injection patterns targeting the sortDirection parameter.
Published: 2026-05-05
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Bugs in the beanFeed component of Masa CMS allow an attacker to inject SQL statements into the sortDirection parameter, which is concatenated directly into a query without sanitization. The resulting vulnerability enables an unauthenticated attacker to read, modify, or delete database records, and in worst‑case scenarios could lead to remote code execution on the database server. This is a classic SQL Injection flaw (CWE‑89) with a CVSS score of 9.3.

Affected Systems

The flaw exists in Masa CMS version 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2. All installations of these releases that expose the beanFeed.cfc component are vulnerable.

Risk and Exploitability

The high CVSS score and lack of mitigating controls indicate that exploitation is highly probable over the internet. An attacker can issue a simple HTTP request to the beanFeed.cfc endpoint with a crafted sortDirection value, bypassing authentication, to inject arbitrary SQL. No exploit probability score is currently available, and the vulnerability is not listed in CISA’s KEV catalog, but the attack vector is straightforward and the impact scope includes the entire database managed by the application.

Generated by OpenCVE AI on May 5, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Masa CMS to a patched release—7.2.10, 7.3.15, 7.4.10, 7.5.3 or later—ensuring the sortDirection handling is secured.
  • If upgrading is not immediately feasible, place a Web Application Firewall in front of the server and configure it to block or rate‑limit requests to beanFeed.cfc, or deploy signatures that detect SQL injection patterns in the sortDirection parameter.
  • Review all application code that incorporates user input into database queries to enforce strict input validation and use parameterized statements, following the best practices for preventing SQL Injection (CWE‑89).

Generated by OpenCVE AI on May 5, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Masacms
Masacms masacms
Vendors & Products Masacms
Masacms masacms

Tue, 05 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, a SQL injection vulnerability exists in the beanFeed.cfc component within the getQuery function's handling of the sortDirection parameter. The parameter value is concatenated directly into SQL queries without sanitization or parameterization. An unauthenticated remote attacker can exploit this to extract sensitive information, modify or delete database records, or potentially achieve remote code execution on the underlying database server. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, use a WAF to block or restrict access to the beanFeed.cfc component, or deploy rules to detect SQL injection patterns targeting the sortDirection parameter.
Title Masa CMS SQL injection via sortDirection parameter in beanFeed
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Masacms Masacms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T19:46:03.832Z

Reserved: 2026-04-10T22:50:01.357Z

Link: CVE-2026-40330

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-05T20:16:38.970

Modified: 2026-05-05T20:24:04.853

Link: CVE-2026-40330

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T22:00:11Z

Weaknesses