CVE-2026-40330
SQL Injection in Masa CMS
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| masa_cms | masa_cms | From 7.2.0 (inc) to 7.2.9 (inc) |
| masa_cms | masa_cms | From 7.3.0 (inc) to 7.3.14 (inc) |
| masa_cms | masa_cms | From 7.4.0 (inc) to 7.4.9 (inc) |
| masa_cms | masa_cms | From 7.5.0 (inc) to 7.5.2 (inc) |
| masa_cms | masa_cms | 7.2.10 |
| masa_cms | masa_cms | 7.3.15 |
| masa_cms | masa_cms | 7.4.10 |
| masa_cms | masa_cms | 7.5.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40330 is a critical SQL injection vulnerability in Masa CMS versions up to 7.5.2. It exists in the beanFeed.cfc component, specifically in the getQuery function's handling of the sortDirection parameter. This parameter is directly concatenated into SQL queries without proper sanitization or parameterization, allowing an unauthenticated remote attacker to exploit it.
Exploitation of this vulnerability can enable attackers to extract sensitive information, modify or delete database records, or potentially achieve remote code execution on the underlying database server.
The vulnerability has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized extraction of sensitive data, unauthorized modification or deletion of database records, and potentially remote code execution on the database server.
Because the attack can be performed remotely and without authentication, it poses a high risk to the confidentiality, integrity, and availability of the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL injection vulnerability can be detected by monitoring and analyzing requests to the beanFeed.cfc component, specifically looking for suspicious or malformed inputs in the sortDirection parameter.
You can use web application firewall (WAF) logs or deploy WAF rules to detect SQL injection patterns targeting the sortDirection parameter.
Additionally, network traffic inspection tools or intrusion detection systems (IDS) can be configured to look for typical SQL injection payloads in HTTP requests to the vulnerable endpoint.
- Use curl or similar tools to send test requests with SQL injection payloads in the sortDirection parameter to see if the system is vulnerable, for example: curl -v "http://yourserver/beanFeed.cfc?method=getQuery&sortDirection=' OR '1'='1"
- Check web server logs for unusual query strings or error messages related to SQL syntax errors involving the sortDirection parameter.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation steps include upgrading Masa CMS to a fixed version: 7.2.10, 7.3.15, 7.4.10, or 7.5.3.
If upgrading is not immediately possible, restrict or block access to the vulnerable beanFeed.cfc component using a web application firewall (WAF).
Deploy WAF rules specifically designed to detect and block SQL injection attempts targeting the sortDirection parameter.
Ensure that the database user account used by Masa CMS has minimal privileges to limit the impact of a potential exploit.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in Masa CMS allows unauthenticated attackers to extract sensitive information, modify or delete database records, or potentially execute remote code on the database server. Such unauthorized access and manipulation of sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access and breaches.
Failure to patch this vulnerability or implement adequate mitigations could result in non-compliance with these standards due to potential data breaches, loss of data integrity, and compromised availability.