CVE-2026-40174
Received Received - Intake
CSRF in Masa CMS Address Management

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: GitHub, Inc.

Description
Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cUsers.updateAddress function does not properly validate anti-CSRF tokens for user address management operations. An attacker can induce a logged-in administrator to submit a forged request that adds, modifies, or deletes user address records, including email addresses and phone numbers. This can be used to alter contact information, redirect organizational communications, and corrupt address data in the user directory. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, or deploy filtering rules to block forged requests to the affected endpoint
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-27
AI Q&A
2026-05-07
EPSS Evaluated
2026-05-25
NVD
CVE-2026-40174
EUVD
EUVD-2026-28154
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
masa_cms masa_cms to 7.5.3 (exc)
masa_cms masa_cms 7.2.10
masa_cms masa_cms 7.3.15
masa_cms masa_cms 7.4.10
masa_cms masa_cms 7.5.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Masa CMS versions 7.5.2 and earlier, specifically in the cUsers.updateAddress function. The function does not properly validate anti-CSRF tokens during user address management operations.

As a result, an attacker can trick a logged-in administrator into submitting a forged request that can add, modify, or delete user address records, including email addresses and phone numbers.

This allows the attacker to alter contact information, redirect organizational communications, and corrupt address data in the user directory.


How can this vulnerability impact me? :

The vulnerability can impact you by allowing an attacker to manipulate user address records without proper authorization.

  • Alteration of contact information such as email addresses and phone numbers.
  • Redirection of organizational communications to unintended recipients.
  • Corruption of address data in the user directory, potentially causing operational disruptions.

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, you should restrict access to the administrative backend.

Use browser isolation for administrative sessions to prevent attackers from exploiting forged requests.

Deploy filtering rules to block forged requests targeting the affected endpoint related to user address management.

Additionally, update Masa CMS to one of the fixed versions: 7.2.10, 7.3.15, 7.4.10, or 7.5.3 as soon as possible.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart