CVE-2026-40330
CriticalSummary
Masa CMS has a SQL injection vulnerability in the beanFeed.cfc component in versions 7.2.0-7.2.9, 7.3.0-7.3.14, 7.4.0-7.4.9, and 7.5.0-7.5.2. The sortDirection parameter is concatenated directly into SQL queries without sanitization, allowing attackers to remotely extract sensitive information or modify data.
Risk Assessment
An attacker can exploit this vulnerability to gain access to sensitive data, modify or delete database records, and potentially achieve remote code execution on the database server.
Recommendation
It is recommended to upgrade to versions 7.2.10, 7.3.15, 7.4.10, or 7.5.3. Alternatively, a WAF can be used to block access to the beanFeed.cfc component or deploy rules to detect SQL injection patterns.
Original NVD description (English source)
Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, a SQL injection vulnerability exists in the beanFeed.cfc component within the getQuery function's handling of the sortDirection parameter. The parameter value is concatenated directly into SQL queries without sanitization or parameterization. An unauthenticated remote attacker can exploit this to extract sensitive information, modify or delete database records, or potentially achieve remote code execution on the underlying database server. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, use a WAF to block or restrict access to the beanFeed.cfc component, or deploy rules to detect SQL injection patterns targeting the sortDirection parameter.

