CVE-2026-40309
Received
Received - Intake
CSRF in Masa CMS Trash Management
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: GitHub, Inc.
Description
Description
Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cTrash.empty function does not validate anti-CSRF tokens for trash management requests. An attacker can induce a logged-in administrator to submit a forged request that empties the trash and permanently deletes all deleted content. This can cause irreversible data loss and disrupt recovery of content intended for restoration. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, and maintain current database backups to recover from unauthorized deletion.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| masa_cms | masa_cms | to 7.5.3 (exc) |
| masa_cms | masa_cms | 7.2.10 |
| masa_cms | masa_cms | 7.3.15 |
| masa_cms | masa_cms | 7.4.10 |
| masa_cms | masa_cms | 7.5.3 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70