External risk intelligence

Masa CMS can leak sensitive data and allow attackers to control your database.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-40330

Masa CMS has a critical flaw allowing unauthenticated attackers to steal or delete your sensitive data and potentially control your database. This issue is a high priority for immediate attention.

4Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-40330

Masa CMS is a web-based content management system, which is commonly deployed as an internet-facing web application. Because the vulnerability resides in a component used for managing site content and database interaction, the application is frequently exposed to the public internet in standard deployments.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

Masa CMS has a critical SQL injection vulnerability in the beanFeed.cfc component that allows attackers to manipulate your database without needing any credentials. This issue can lead to serious data loss or compromise.

  • Attackers can steal or delete data.
  • Unauthenticated access is possible.
  • Remote code execution is a potential risk.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could exploit this SQL injection vulnerability in Masa CMS by sending a crafted request to the `beanFeed.cfc` component. This would allow them to manipulate SQL queries using the `sortDirection` parameter, potentially leading to data theft, modification, or even remote code execution on the database.

  • Unauthenticated remote access needed.
  • Target `beanFeed.cfc`'s `sortDirection`.
  • No user interaction required.

Live Threat

Current exploitation, exposure, and threat context

This SQL injection vulnerability in Masa CMS affects multiple versions and allows unauthenticated remote attackers to potentially extract, modify, or delete sensitive data. The direct concatenation of user input into SQL queries without sanitization is a common and critical flaw that attackers favor. Given the widespread use of CMS platforms and the potential for significant data compromise, this vulnerability is a prime candidate for exploitation.

  • Exploitation is likely.
  • No public exploits observed yet.
  • Affects internet-facing systems.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Masa CMS to versions 7.2.10, 7.3.15, 7.4.10, or 7.5.3 to address the SQL injection vulnerability. If immediate patching is not feasible, implement a Web Application Firewall (WAF) to block access to the beanFeed.cfc component and deploy rules to detect SQL injection patterns targeting the sortDirection parameter.

  • Upgrade Masa CMS to fixed versions.
  • Block beanFeed.cfc component access.
  • Monitor for SQL injection patterns.

Frequently asked questions

What is Masa CMS and what versions are affected by the SQL injection vulnerability?

Masa CMS is an open-source content management system. Versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2 are affected by a critical SQL injection vulnerability.

How does the SQL injection vulnerability in Masa CMS work?

The vulnerability exists in the `beanFeed.cfc` component, specifically within the `getQuery` function. The `sortDirection` parameter is directly concatenated into SQL queries without proper sanitization, allowing attackers to inject malicious SQL commands.

What are the potential impacts of exploiting this SQL injection vulnerability in Masa CMS?

An unauthenticated remote attacker can exploit this vulnerability to extract sensitive information, modify or delete database records, and potentially achieve remote code execution on the underlying database server.

What is the threat assessment for this Masa CMS SQL injection vulnerability?

This vulnerability is assessed as critical with a CVSS v4.0 base score of 9.3. It is classified as external due to the network attack vector, and Halo Surface Signal indicates it is likely to be exploited because Masa CMS is commonly deployed as an internet-facing web application.

How can organizations mitigate the SQL injection vulnerability in Masa CMS?

The recommended mitigation is to upgrade Masa CMS to fixed versions: 7.2.10, 7.3.15, 7.4.10, or 7.5.3. As a workaround, consider using a Web Application Firewall (WAF) to block access to the `beanFeed.cfc` component or implement rules to detect SQL injection patterns targeting the `sortDirection` parameter.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished