CVE-2026-40309

HIGH

Masa CMS CSRF in trash management allows unauthorized permanent deletion of deleted content

Title source: cna

Description

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cTrash.empty function does not validate anti-CSRF tokens for trash management requests. An attacker can induce a logged-in administrator to submit a forged request that empties the trash and permanently deletes all deleted content. This can cause irreversible data loss and disrupt recovery of content intended for restoration. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, and maintain current database backups to recover from unauthorized deletion.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-9f35-q62j-vm5j

Scores

CVSS v4 7.2

EPSS 0.0016

EPSS Percentile 6.0%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-352

Status published

Products (4)

MasaCMS/MasaCMS < 7.2.10

MasaCMS/MasaCMS >= 7.3.0, < 7.3.15

MasaCMS/MasaCMS >= 7.4.0, < 7.4.10

MasaCMS/MasaCMS >= 7.5.0, < 7.5.3

Published May 06, 2026

Tracked Since May 07, 2026