SQL Injection in Masacms

CVE-2026-40331

Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, the unauthenticated JSON API accepts an altTable parameter that is stored via the se…

Vulnerability class: SQL Injection

EPSS: 0.001 (18.9th percentile) — read the EPSS interpretation.

Affected products

Masacms — versions <= 7.2.9, >= 7.3.0, <= 7.3.14, >= 7.4.0, <= 7.4.9

Weakness classification (CWE)

CWE-89 — SQL Injection

References

https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-jphh-r686-6w7j (x_refsource_CONFIRM)