Description
Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, the unauthenticated JSON API accepts an altTable parameter that is stored via the setAltTable() method without validation or sanitization. This value is injected directly into a SQL FROM clause within feedGateway.cfc. An unauthenticated attacker can pass an arbitrary subquery into the altTable parameter to read sensitive data from any table in the database in a single HTTP request, including administrative credentials and password reset tokens.

This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, apply validation to the setAltTable function in core/mura/content/feed/feedBean.cfc to restrict input to simple alphanumeric table names, or disable the JSON API if it is not required.
Published: 2026-05-05
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when the unauthenticated JSON API accepts an altTable parameter that is inserted directly into a SQL FROM clause without validation or sanitization. An attacker can include an arbitrary subquery in this parameter, which is then executed by the database. This allows the unauthorized user to read sensitive data from any table, such as administrative credentials and password‑reset tokens, with a single HTTP request.

Affected Systems

The flaw affects Masa CMS versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2.

Risk and Exploitability

The CVSS score of 9.3 reflects a high‑severity data‑exposure risk. The vulnerability is exploitable without any authentication, via a standard web request to the JSON API. Attackers can use the unauthenticated service to inject a subquery that returns arbitrary data; the likely attack vector is a publicly reachable Masa CMS instance. The EPSS score is not available, and the simplicity of the exploit and lack of a known mitigation make the threat significant. The vulnerability is not listed in the CISA KEV catalog as of the current data.

Generated by OpenCVE AI on May 5, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Masa CMS to a fixed release—7.2.10, 7.3.15, 7.4.10, or 7.5.3—or a newer major version.
  • If an upgrade cannot be performed immediately, modify core/mura/content/feed/feedBean.cfc to validate the altTable input, allowing only simple alphanumeric table names.
  • If the JSON API is not required, disable it in the Masa CMS configuration to remove the attack surface.

Generated by OpenCVE AI on May 5, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Masacms
Masacms masacms
Vendors & Products Masacms
Masacms masacms

Tue, 05 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, the unauthenticated JSON API accepts an altTable parameter that is stored via the setAltTable() method without validation or sanitization. This value is injected directly into a SQL FROM clause within feedGateway.cfc. An unauthenticated attacker can pass an arbitrary subquery into the altTable parameter to read sensitive data from any table in the database in a single HTTP request, including administrative credentials and password reset tokens. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, apply validation to the setAltTable function in core/mura/content/feed/feedBean.cfc to restrict input to simple alphanumeric table names, or disable the JSON API if it is not required.
Title Masa CMS unauthenticated SQL injection via altTable parameter in JSON API
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Masacms Masacms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T19:48:07.898Z

Reserved: 2026-04-10T22:50:01.357Z

Link: CVE-2026-40331

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-05T20:16:39.113

Modified: 2026-05-05T20:24:04.853

Link: CVE-2026-40331

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T23:00:10Z

Weaknesses