CVE-2026-40326

HIGH

Masa CMS CSRF in site bundle creation allows unauthorized site data export

Title source: cna

Description

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the createBundle method in `csettings.cfc` does not properly validate anti-CSRF tokens for site bundle creation requests. An attacker can craft a malicious webpage or link that, when visited by a logged-in administrator, triggers the silent creation of a comprehensive site bundle. This bundle is saved to a predictable, publicly accessible web directory. An unauthenticated attacker can then retrieve the bundle and obtain site content, user account data, password hashes, form submissions, email lists, plugins, and configuration data. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, remove unexpected bundle files from public directories, restrict access to the affected endpoint, and limit exposure of administrative sessions.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-622v-h7vf-w4gm

Scores

CVSS v4 7.1

EPSS 0.0016

EPSS Percentile 5.0%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (4)

MasaCMS/MasaCMS < 7.2.10

MasaCMS/MasaCMS >= 7.3.0, < 7.3.15

MasaCMS/MasaCMS >= 7.4.0, < 7.4.10

MasaCMS/MasaCMS >= 7.5.0, < 7.5.3

Published May 06, 2026

Tracked Since May 07, 2026