← back
CVE-2024-32641

Masa CMS Vulnerable to Pre-Auth RCE via JSON API

CVSS 9.8 CRITICALEPSS 10.6%CWE-94
Vexday Risk Score
33Attention
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.8EPSS 10.6%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
03 Dec 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution. The vulnerability exists in the addParam function, which accepts user input via the criteria parameter. This input is subsequently evaluated by setDynamicContent, allowing an unauthenticated attacker to execute arbitrary code via the m tag. The vulnerability is patched in versions 7.2.8, 7.3.13, and 7.4.6.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
MasaCMS · MasaCMS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/MasaCMS/MasaCMS/commit/fb27f822fe426496af71205fa35208e58823fcf6https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-cj9g-v5mq-qrjm