SQL Injection in Masacms

CVE-2026-40329

Masa CMS is an open source content management system. In versions 7.5.2 and earlier, a SQL injection vulnerability exists in the beanFeed.cfc component within the getQuery function's processing of the sortBy parameter. The application fail…

Vulnerability class: SQL Injection

EPSS: 0.002 (36.9th percentile) — read the EPSS interpretation.

Affected products

Masacms — versions < 7.2.10, >= 7.3.0, <= 7.3.14, >= 7.4.0, <= 7.4.9

Weakness classification (CWE)

CWE-89 — SQL Injection

References

https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-3xpq-q494-8qq4 (x_refsource_CONFIRM)