External risk intelligence

Masa CMS can expose customer data and admin passwords due to a flaw in its API.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-40331

Masa CMS has a critical flaw in its API that lets anyone access sensitive data, like admin passwords, without needing an account. This could expose your customer information and system access.

5Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-40331

The vulnerability resides in a content management system's JSON API. As a web-facing CMS, the system is intended to be accessible over the internet to serve content. The specific vulnerable component is an unauthenticated API endpoint, which is designed for public interaction and accessibility in standard deployments.

PCI scan relevance

PCI Relevance for CVE-2026-40331

Yes

CVE-2026-40331 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This SQL injection vulnerability in Masa CMS allows unauthenticated attackers to read sensitive database information, including credentials. This could lead to a PCI scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Masa CMS allows attackers to access sensitive database information, including user credentials. It impacts the unauthenticated JSON API, meaning any unauthorized party can exploit it to read data from any table. This could lead to significant security breaches and unauthorized access to your content management system.

  • Sensitive data exposure.
  • Attackers can read any database table.
  • No authentication required to exploit.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to the JSON API. This request will leverage a flaw in how the `altTable` parameter is handled, allowing the attacker to inject a SQL subquery. This subquery can then be used to extract sensitive information directly from the database.

  • Target the JSON API.
  • No authentication required.
  • Inject SQL subquery via `altTable`.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Masa CMS affects unauthenticated users and allows for SQL injection, granting access to sensitive data like credentials. The ease of exploitation via a single HTTP request suggests it is a prime target for attackers looking to quickly compromise systems for data theft or further access. Given the widespread nature of content management systems, the potential attack surface is significant.

  • Unauthenticated SQL injection
  • Exploitable via API
  • Broad impact on sensitive data

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize blocking unauthenticated API access and isolating systems if patching is delayed, as this critical SQL injection vulnerability allows unauthenticated attackers to read sensitive data from any database table. Investigate logs for evidence of exploitation.

  • Update to fixed versions 7.2.10, 7.3.15, 7.4.10, or 7.5.3.
  • Disable JSON API or restrict input to alphanumeric table names.
  • Monitor for unauthorized data access.

Frequently asked questions

What is Masa CMS and what is it used for?

Masa CMS is an open-source content management system used for building and managing websites. It allows users to create, organize, and publish content, similar to other platforms like WordPress or Drupal.

How does CVE-2026-40331 allow attackers to access data?

This vulnerability, classified as CWE-89 (SQL Injection), allows an attacker to insert malicious SQL code into the `altTable` parameter of the JSON API. This code then manipulates database queries to read sensitive information from any table, including credentials.

What are the attacker's preconditions to exploit this vulnerability?

An attacker does not need any authentication to exploit this flaw. They only need to be able to send an HTTP request to the Masa CMS JSON API. The vulnerability is triggered by sending a specially crafted request with an arbitrary subquery in the `altTable` parameter.

Who should be concerned about CVE-2026-40331?

Organizations using Masa CMS should be concerned. The Halo Surface Signal indicates this is a very likely threat because the vulnerable JSON API is typically internet-facing, making it accessible to external attackers seeking sensitive data.

What is the first step for running Masa CMS with this vulnerability?

The immediate first step is to update Masa CMS to a fixed version: 7.2.10, 7.3.15, 7.4.10, or 7.5.3. If an update is not immediately possible, consider disabling the JSON API or implementing input validation for the `setAltTable` function as a workaround.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished