Primary

Context

Masa CMS Remote Code Execution Vulnerability

Vulnerability

Patched

A remote code execution vulnerability exists in Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6. The issue arises in the addParam function, which processes user input through the criteria parameter. This input is then evaluated by setDynamicContent, enabling an unauthenticated attacker to execute arbitrary code via the m tag. The vulnerability is present in versions 7.4.5 and earlier.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Masa CMS is hosted.

Reproduction

To reproduce this vulnerability, send a GET request to the Masa CMS JSON API v1 default endpoint. Include a payload in the ids parameter that uses the m tag to execute a command, such as sleep for 5 seconds. The server's delayed response will indicate successful exploitation.

Remediation

Users can upgrade to Masa CMS versions 7.4.6, 7.3.13, or 7.2.8 to address this vulnerability.

Added: Dec 3, 2025, 5:30 PM

Updated: Dec 3, 2025, 5:30 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

10.0

exploitability

9.7

remediation

7.7

relevance

1.3

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

10.0

exploitability

9.7

remediation

7.7

relevance

1.3

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Masa CMS Remote Code Execution Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Masa CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating