CVE-2026-40174
Received Received - Intake

CSRF in Masa CMS Address Management

Vulnerability report for CVE-2026-40174, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: GitHub, Inc.

Description

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cUsers.updateAddress function does not properly validate anti-CSRF tokens for user address management operations. An attacker can induce a logged-in administrator to submit a forged request that adds, modifies, or deletes user address records, including email addresses and phone numbers. This can be used to alter contact information, redirect organizational communications, and corrupt address data in the user directory. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, or deploy filtering rules to block forged requests to the affected endpoint

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-07-06
AI Q&A
2026-05-07
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
masa_cms masa_cms to 7.5.3 (exc)
masa_cms masa_cms 7.2.10
masa_cms masa_cms 7.3.15
masa_cms masa_cms 7.4.10
masa_cms masa_cms 7.5.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Masa CMS versions 7.5.2 and earlier, specifically in the cUsers.updateAddress function. The function does not properly validate anti-CSRF tokens during user address management operations.

As a result, an attacker can trick a logged-in administrator into submitting a forged request that can add, modify, or delete user address records, including email addresses and phone numbers.

This allows the attacker to alter contact information, redirect organizational communications, and corrupt address data in the user directory.

Impact Analysis

The vulnerability can impact you by allowing an attacker to manipulate user address records without proper authorization.

  • Alteration of contact information such as email addresses and phone numbers.
  • Redirection of organizational communications to unintended recipients.
  • Corruption of address data in the user directory, potentially causing operational disruptions.
Mitigation Strategies

To mitigate this vulnerability immediately, you should restrict access to the administrative backend.

Use browser isolation for administrative sessions to prevent attackers from exploiting forged requests.

Deploy filtering rules to block forged requests targeting the affected endpoint related to user address management.

Additionally, update Masa CMS to one of the fixed versions: 7.2.10, 7.3.15, 7.4.10, or 7.5.3 as soon as possible.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40174. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart