CVE-2026-40330
Deferred Deferred - Pending Action
SQL Injection in Masa CMS

Publication date: 2026-05-05

Last updated on: 2026-05-05

Assigner: GitHub, Inc.

Description
Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, a SQL injection vulnerability exists in the beanFeed.cfc component within the getQuery function's handling of the sortDirection parameter. The parameter value is concatenated directly into SQL queries without sanitization or parameterization. An unauthenticated remote attacker can exploit this to extract sensitive information, modify or delete database records, or potentially achieve remote code execution on the underlying database server. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, use a WAF to block or restrict access to the beanFeed.cfc component, or deploy rules to detect SQL injection patterns targeting the sortDirection parameter.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40330
EUVD
EUVD-2026-27480
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
masa_cms masa_cms From 7.2.0 (inc) to 7.2.9 (inc)
masa_cms masa_cms From 7.3.0 (inc) to 7.3.14 (inc)
masa_cms masa_cms From 7.4.0 (inc) to 7.4.9 (inc)
masa_cms masa_cms From 7.5.0 (inc) to 7.5.2 (inc)
masa_cms masa_cms 7.2.10
masa_cms masa_cms 7.3.15
masa_cms masa_cms 7.4.10
masa_cms masa_cms 7.5.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The SQL injection vulnerability in Masa CMS allows unauthenticated attackers to extract sensitive information, modify or delete database records, or potentially execute remote code on the database server. Such unauthorized access and manipulation of sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access and breaches.

Failure to patch this vulnerability or implement adequate mitigations could result in non-compliance with these standards due to potential data breaches, loss of data integrity, and compromised availability.

Executive Summary

CVE-2026-40330 is a critical SQL injection vulnerability in Masa CMS versions up to 7.5.2. It exists in the beanFeed.cfc component, specifically in the getQuery function's handling of the sortDirection parameter. This parameter is directly concatenated into SQL queries without proper sanitization or parameterization, allowing an unauthenticated remote attacker to exploit it.

Exploitation of this vulnerability can enable attackers to extract sensitive information, modify or delete database records, or potentially achieve remote code execution on the underlying database server.

The vulnerability has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3.

Impact Analysis

This vulnerability can have severe impacts including unauthorized extraction of sensitive data, unauthorized modification or deletion of database records, and potentially remote code execution on the database server.

Because the attack can be performed remotely and without authentication, it poses a high risk to the confidentiality, integrity, and availability of the affected system.

Detection Guidance

This SQL injection vulnerability can be detected by monitoring and analyzing requests to the beanFeed.cfc component, specifically looking for suspicious or malformed inputs in the sortDirection parameter.

You can use web application firewall (WAF) logs or deploy WAF rules to detect SQL injection patterns targeting the sortDirection parameter.

Additionally, network traffic inspection tools or intrusion detection systems (IDS) can be configured to look for typical SQL injection payloads in HTTP requests to the vulnerable endpoint.

  • Use curl or similar tools to send test requests with SQL injection payloads in the sortDirection parameter to see if the system is vulnerable, for example: curl -v "http://yourserver/beanFeed.cfc?method=getQuery&sortDirection=' OR '1'='1"
  • Check web server logs for unusual query strings or error messages related to SQL syntax errors involving the sortDirection parameter.
Mitigation Strategies

The immediate mitigation steps include upgrading Masa CMS to a fixed version: 7.2.10, 7.3.15, 7.4.10, or 7.5.3.

If upgrading is not immediately possible, restrict or block access to the vulnerable beanFeed.cfc component using a web application firewall (WAF).

Deploy WAF rules specifically designed to detect and block SQL injection attempts targeting the sortDirection parameter.

Ensure that the database user account used by Masa CMS has minimal privileges to limit the impact of a potential exploit.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40330. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart