SQL Injection Vulnerability in Masa CMS Affects Multiple Versions
CVE-2026-40330

9.3CRITICAL

Key Information:

Vendor: Masacms
Status: Masacms
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-40330?

A SQL injection vulnerability exists in the beanFeed.cfc component of Masa CMS across various versions. This flaw arises from the improper handling of the sortDirection parameter, which is concatenated directly into SQL queries without adequate sanitization or parameterization. As a result, an unauthenticated attacker could exploit this vulnerability to extract sensitive data, modify or delete database records, and potentially execute arbitrary code on the underlying database server. The issue has been resolved in later versions, but users are advised to implement additional security measures, such as a Web Application Firewall (WAF), to protect against SQL injection attacks targeting this specific parameter.

Affected Version(s)

MasaCMS <= 7.2.9 <= 7.2.9

MasaCMS >= 7.3.0, <= 7.3.14 <= 7.3.0, 7.3.14

MasaCMS >= 7.4.0, <= 7.4.9 <= 7.4.0, 7.4.9

References

https://github.com/MasaCMS/MasaCMS/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Apr 10, 2026

CVE-2026-40330 Data

JSON

Masacms

What is CVE-2026-40330?

Affected Version(s)

References

CVSS V4

Timeline