VYPR

Masacms

by Masacms

Source repositories

CVEs (15)

  • CVE-2024-32640CriAug 11, 2025
    risk 0.64cvss 9.8epss 0.69

    MASA CMS is an Enterprise Content Management platform based on open source technology. Versions prior to 7.4.5, 7.3.12, and 7.2.7 contain a SQL injection vulnerability in the `processAsyncObject` method that can result in remote code execution. Versions 7.4.5, 7.3.12, and 7.2.7…

  • CVE-2026-40331CriMay 5, 2026
    risk 0.60cvss epss 0.00

    Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, the unauthenticated JSON API accepts an altTable parameter that is stored via the setAltTable() method without validation or…

  • CVE-2026-40330CriMay 5, 2026
    risk 0.53cvss epss 0.00

    Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, a SQL injection vulnerability exists in the beanFeed.cfc component within the getQuery function's handling of the…

  • CVE-2026-40329CriMay 5, 2026
    risk 0.53cvss epss 0.00

    Masa CMS is an open source content management system. In versions 7.5.2 and earlier, a SQL injection vulnerability exists in the beanFeed.cfc component within the getQuery function's processing of the sortBy parameter. The application fails to properly sanitize or parameterize…

  • CVE-2026-40325HigMay 6, 2026
    risk 0.50cvss epss 0.00

    Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the `cTrash.restore` function does not properly validate anti-CSRF tokens for content restoration requests. An attacker can trick a logged-in administrator to submit a forged request…

  • CVE-2026-40309HigMay 6, 2026
    risk 0.40cvss epss 0.00

    Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cTrash.empty function does not validate anti-CSRF tokens for trash management requests. An attacker can induce a logged-in administrator to submit a forged request that empties the…

  • CVE-2026-40326HigMay 6, 2026
    risk 0.39cvss epss 0.00

    Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the createBundle method in `csettings.cfc` does not properly validate anti-CSRF tokens for site bundle creation requests. An attacker can craft a malicious webpage or link that, when…

  • CVE-2026-40174HigMay 6, 2026
    risk 0.39cvss epss 0.00

    Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cUsers.updateAddress function does not properly validate anti-CSRF tokens for user address management operations. An attacker can induce a logged-in administrator to submit a forged…

  • CVE-2026-40332MedMay 6, 2026
    risk 0.27cvss epss 0.00

    Masa CMS is affected by an Open Redirect vulnerability due to improper handling of scheme-relative URLs. The application incorrectly interprets paths beginning with double slashes (//) as internal paths, failing to validate the redirect target before processing. The application…

  • CVE-2022-47002Feb 1, 2023
    risk 0.05cvss epss 0.06

    A vulnerability in the Remember Me function of Masa CMS v7.2, 7.3, and 7.4-beta allows attackers to bypass authentication via a crafted web request.

  • CVE-2021-42183May 5, 2022
    risk 0.04cvss epss 0.05

    MasaCMS 7.2.1 is affected by a path traversal vulnerability in /index.cfm/_api/asset/image/.

  • CVE-2024-32641Dec 3, 2025
    risk 0.01cvss epss 0.11

    Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution. The vulnerability exists in the addParam function, which accepts user input via the criteria parameter. This input is…

  • CVE-2025-66492Dec 12, 2025
    risk 0.00cvss epss 0.00

    Masa CMS is an open source Enterprise Content Management platform. Versions 7.2.8 and below, 7.3.1 through 7.3.13, 7.4.0-alpha.1 through 7.4.8 and 7.5.0 through 7.5.1 are vulnerable to XSS when an unsanitized value of the ajax URL query parameter is directly included within the…

  • CVE-2024-32643Dec 3, 2025
    risk 0.00cvss epss 0.00

    Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the page is modified to include a /tag/ declaration, the CMS will render the page regardless of group restrictions. This vulnerability is fixed in 7.2.8, 7.3.13,…

  • CVE-2024-32642Dec 3, 2025
    risk 0.00cvss epss 0.00

    Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerable to host header poisoning which allows account takeover via password reset email. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6.