CVE-2026-40331

Name of the Vulnerable Software and Affected Versions Masa CMS versions 7.2.0 through 7.2.9 Masa CMS versions 7.3.0 through 7.3.14 Masa CMS versions 7.4.0 through 7.4.9 Masa CMS versions 7.5.0 through 7.5.2

Description The unauthenticated JSON API accepts an altTable parameter that is stored via the setAltTable() method without validation or sanitization. This value is injected directly into a SQL FROM clause within feedGateway.cfc. An unauthenticated attacker can pass an arbitrary subquery into the altTable parameter to read sensitive data from any table in the database in a single HTTP request, including administrative credentials and password reset tokens.

Recommendations Update versions 7.2.0 through 7.2.9 to 7.2.10. Update versions 7.3.0 through 7.3.14 to 7.3.15. Update versions 7.4.0 through 7.4.9 to 7.4.10. Update versions 7.5.0 through 7.5.2 to 7.5.3. Apply validation to the setAltTable() function in core/mura/content/feed/feedBean.cfc to restrict input to simple alphanumeric table names. Disable the JSON API if it is not required.