CVE-2026-40309
CSRF in Masa CMS Trash Management
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| masa_cms | masa_cms | to 7.5.3 (exc) |
| masa_cms | masa_cms | 7.2.10 |
| masa_cms | masa_cms | 7.3.15 |
| masa_cms | masa_cms | 7.4.10 |
| masa_cms | masa_cms | 7.5.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can cause permanent deletion of all deleted content in the trash of Masa CMS, resulting in irreversible data loss.
This disrupts the ability to recover content that was meant to be restored, potentially affecting website content integrity and availability.
If exploited, it could lead to significant operational disruption, especially if backups are not current or accessible.
Can you explain this vulnerability to me?
This vulnerability exists in Masa CMS versions 7.5.2 and earlier, where the cTrash.empty function does not validate anti-CSRF tokens for trash management requests.
An attacker can exploit this by tricking a logged-in administrator into submitting a forged request that empties the trash, permanently deleting all deleted content.
This leads to irreversible data loss and disrupts the recovery of content that was intended to be restored.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should restrict access to the administrative backend to trusted users only.
Use browser isolation techniques for administrative sessions to reduce the risk of CSRF attacks.
Maintain current database backups regularly to enable recovery from any unauthorized deletion.
Additionally, upgrade Masa CMS to a fixed version: 7.2.10, 7.3.15, 7.4.10, or 7.5.3 or later.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Masa CMS allows an attacker to cause irreversible data loss by emptying the trash without validating anti-CSRF tokens. This can disrupt the recovery of deleted content, potentially impacting data integrity and availability.
Such data loss and disruption could affect compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity, availability, and proper controls to prevent unauthorized data modification or deletion.
However, the provided information does not explicitly state the impact on compliance with these regulations.